DFS #5: Which folders have been opened? (Shellbags)

Can you tell if a folder was opened on a system? 

There may be a time in your investigation when you must confirm whether or not a specific user has opened a folder/directory on a Windows system. This definitive knowledge could benefit Intellectual Property Theft cases, or even help refute claims in CP cases. Regardless of the severity of the situation, it can be helpful to know which folders a user has actually opened.

Can I find out which folders/directories a specific user has opened?

The shorthand answer:

The Windows Shellbags artifact keeps a list of which folders (even deleted/removed ones) that have been opened by the user, and details about the file explorer’s window position on screen. This data is user specific and can be found in the user’s NTUSER.dat and USRCLASS.dat. It can then be used alongside other artifacts such as Windows Prefetch, Thumbnail Cache, and LNK files to provide further information about the system’s traversal timeline. Since it is possible to delete shellbag data from the system, it is always smart to not only rely on this data. 

Shellbags:

The Windows operating system is focused around providing the user (client) with optimal ease-of-use features. Within these OS standards, is the automatic ability for the system to remember where the user had a file explorer window open on the screen, and the exact size of the window. That way if a user were to close down the file explorer window and opened it back up, it would appear in the same location on the screen. It would also retain the size structure from the previously closed window. This may be an enhancing feature of the Windows OS, but it can also be helpful information for investigators. With the presence of this data, you can therefore tell which folders the user has viewed. Shellbags will tell you:

  • Folders on the system that have been opened by the user.
  • Folders that have been opened by the user from an attached external drive.
  • Folders that have been deleted.
  • Date the folder was created, modified, and accessed on.
  • First/last interaction dates of the folder.
  • The containing volume’s file system.

This artifact does vary in both retrievable content and requirements between Windows versions. Therefore, it is beneficial to know the limitations of the version of Windows you are working with, and what you will need in order to view said data.

Details:

  • Windows XP : Tracks/logs both the folder position/size on screen, and the icon positions within those folders. All shellbags data for Windows XP can be found in the user’s
    • NTUSER.dat file C:\Users\<user>\NTUSER.dat).
  • Windows Vista+ Tracks/logs the folder position and size of all folders that a user has opened. Only icon positions on the Desktop are logged; they can be found in ‘Bags\itemPosxx’. Deleted and removed folder data will remain on the system. Shellbag data is split between the user’s:
    • NTUSER.dat(C:\Users\<user>\NTUSER.dat)
    • USRCLASS.dat (C:\Users<user>\AppData\Local\Microsoft\Windows\USRclass.dat).

 

Tools:

Although it is possible to manually decipher the shellbag data from hex with multiple online resources, or with automated FTK/EnCase features, here are some cheaper third party alternatives:

ShellBagsView: A simple GUI that will interpret the shellbags data and visualize it for the user. Works with all versions of Windows, after Windows XP. (https://www.nirsoft.net/utils/shell_bags_view.html).

Shellbags Explorer: A GUI that interprets the shallbags data and displays it (https://ericzimmerman.github.io/#!index.md).

sbag: A command line tool that will interpret shellbag data, with numerous import/export options and parameters (https://tzworks.net/prototype_page.php?proto_id=14).

 

Casetypes:

There is an endless list of times when this artifact could be beneficial to an investigation, if you think out-of-the-box enough. In an intellectual property theft case, you may be looking for any unauthorized access to a folder. In this same scenario you could also be looking for the the names/metadata for folders on a detected removable device. In a cp case, you may use this artifact to prove a the user account was aware of a specific folder on a machine, by accessing it. Due to it’s MRU (Most Recently Used) folder nature, you may also find this beneficial with seeing which folders an intruder has accessed on a system. Perhaps you are just curious about the name of a recently deleted folder on the machine and want to look at shellbags for help. Regardless of how you justify it, this artifact could be helpful in many cases.

One thought on “DFS #5: Which folders have been opened? (Shellbags)

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: