Episode Details

Back to Episodes
Course 21 - Digital Forensics: Windows Shellbags | Episode 4: Shellbag Forensics: Tracking USB Device History and Artifact Validation

Course 21 - Digital Forensics: Windows Shellbags | Episode 4: Shellbag Forensics: Tracking USB Device History and Artifact Validation

Published 3 months, 3 weeks ago
Description
In this lesson, you’ll learn about:
  • USB Forensics Using Shellbag Artifacts
    • How Windows Shellbags can be leveraged to reconstruct user interaction with removable media.
    • Why Shellbags are valuable for determining whether files were copied to or from USB devices, even when the media is no longer connected.
  • Initial Evidence Generation and Collection
    • Creating controlled forensic artifacts by moving test files onto a FAT16-formatted USB drive.
    • Exporting relevant registry hives (such as USRCLASS.DAT) using FTK Imager.
    • Loading these hives into Shellbag Explorer for structured analysis.
  • Understanding File System Timestamp Behavior
    • Recognizing FAT16 limitations, where Last Accessed timestamps record only the date, not the time.
    • Interpreting Created timestamps as the moment files or folders were moved onto the USB device.
    • Understanding why Modified timestamps often remain unchanged during copy or move operations.
  • Shellbag Data Merging and Ghost Artifacts
    • Learning how Windows may merge Shellbag data when a USB device is reformatted, renamed, or reused.
    • Understanding how previously accessed folders can still appear in Shellbag Explorer due to reuse of the same drive letter or volume identifiers.
    • Identifying “ghost” directories and avoiding false assumptions about current device contents.
  • Handling Multiple Removable Devices
    • Observing how Windows assigns new drive letters (e.g., E:, then F:) when multiple USB devices are connected.
    • Using Last Write Time values to infer when a USB device was inserted or when its folder view preferences were modified.
  • Forensic Validation and Reporting
    • Evaluating whether timestamps and folder structures logically align with expected user behavior.
    • Understanding why investigators must not rely solely on automated tool output.
    • Emphasizing manual validation to prevent misinterpretation caused by merged or residual Shellbag data.
By the end of this episode, you’ll be able to analyze Shellbag artifacts related to USB devices, accurately interpret file system timestamps, and validate whether removable media activity supports or contradicts suspected data exfiltration or injection events.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us