Episode Details

Back to Episodes
Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

Published 3 months, 3 weeks ago
Description
In this lesson, you’ll learn about:
  • Practical ShellBag Forensics Workflow
    • How ShellBags function as registry-based artifacts that record user folder interaction and view preferences.
    • The full investigative cycle: evidence creation, acquisition, analysis, and validation.
  • Registry Hive Acquisition
    • Creating controlled user activity (e.g., test folders) to deliberately generate ShellBag evidence.
    • Exporting NTUSER.DAT from the root of the user profile and USRCLASS.DAT from the AppData directory using FTK Imager.
    • Required system configuration steps, including enabling hidden files and protected operating system files, to access locked registry hives.
  • Interpreting ShellBag Timestamps
    • Understanding the forensic meaning of Last Write Time, which reflects either the first folder access or a change in folder view settings.
    • Differentiating embedded MAC times (Created, Modified, Accessed) as historical snapshots captured when the ShellBag entry was first generated.
    • Correctly handling UTC/GMT timestamps and applying local time offsets to ensure accurate forensic timelines.
  • Validation Through Controlled Experiments
    • Demonstrating that changing folder view options (such as switching to large icons) updates the Last Write Time without altering embedded MAC timestamps.
    • Recognizing normal conditions where certain directories—such as system folders or hard-coded shortcuts—do not contain MAC times.
  • Evidence Location Awareness
    • Knowing where user-specific ShellBag data resides within the Windows registry structure.
    • Understanding how these locations support user attribution and timeline reconstruction during forensic investigations.
By the end of the episode, you’ll be able to confidently extract ShellBag-related registry hives, correctly interpret their timestamps, and validate user activity findings through repeatable forensic testing.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us