1. Shellbag Content Analysis in Windows 10 Platform
Anna Bennett, David Langford – Co-Authors
Department of Computer Science
Sam Houston State University
Huntsville, Texas, USA
Abstract—Microsoft Windows XP has established techniques
and tools for obtaining and interpreting “Shellbag” information.
This paper takes those techniques, modifies and applies them to a
virtual instance of the beta release of Windows 10 to determine
the forensic applicability of Shellbag content analysis.
Keywords—Shellbags; Shellbag; Shellbag Content; Registry;
Analysis; Registry Keys; Windows 10; Digital Forensics
I. INTRODUCTION
Microsoft Windows XP has established techniques and
tools for obtaining and interpreting “Shellbag” information.
Shellbag files have serious potential implications in tracking
the activities of the user of a computer as they contain
information that controls certain settings of Windows Explorer
windows, such as size, location, and content view type.
Determining how and whether these techniques will continue
to be effective in Windows 10 will be of substantial forensic
value in determining user activities through the use of Shellbag
analysis. This paper will look at the techniques and analyses
by Zhu, Gladyshev, and James [1], and modify their techniques
for Shellbag analysis in a virtual instance of the Windows 10
beta release. As a note, because this analysis is being
performed on a virtual instance of a beta release, some things
might vary between the findings listed and findings on a future
copy, or one that is not a virtual instance. The primary
reference of this paper is by Zhu, Gladyshev, and James [1].
Secondary work was performed by the co-author, Bennett [5],
directly applying their experiments to Windows 10. Their work
was the inspiration for this paper and consequently this paper
should be viewed as an extension of their paper to the
Windows 10 platform and as directly inspired future research
along the lines of the previous research. This paper, however,
instead of focusing on any registry modification, observes
specifically how Shellbag contents are modified by specific
user actions. Information for Shellbags stored in the registry is
not in the same location in Windows 10. The keys to look for
are:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell
A. Contribution
A method is proposed by Zhu, Gladyshev, and James [1].
Their method has subsequently been applied with comparable
experiments to the Windows 10 platform [5]. That method will
be modified and applied to the Windows 10 platform in a
wider variety of situations, and the results analyzed for their
applicable utility. This paper is more concerned with analysis
of the contents of the Shellbags following various activities
than with the creation and modification of registry keys.
B. Organization
This paper is organized as follows: Section 2 gives a brief
overview of the information contained in Shellbags and the
potential importance of Shellbags in digital forensics. Section 3
gives an overview of the experiments with direct analysis of
their impact. Section 4 discusses the connection between user
actions and Shellbag information updates. Section 5 concludes
and discusses the impact of this information.
II. OVERVIEW OF SHELLBAG INFORMATION
Shellbag information exists in registry keys and contains
information about the settings of Windows Explorer windows
that have been opened. The relevance of this is that, since
these keys are themselves files, they contain metadata about
when the Shellbag file was created, last accessed, modified,
etc. In fact, a Shellbag will only exist if the Windows Explorer
process has used a window to access the folder in question.
This is particularly useful in determining whether a user
actually accessed content on the computer, as opposed to its
existence due to a malicious download. Shellbag analysis can
be used in conjunction with more commonly used digital
forensics techniques in establishing a timeline for certain
activities on a computer by specific user profiles. In
conjunction with standard investigative work, they could
perhaps provide evidence for or against an alibi, depending on
if and when certain actions were taken on the computer.
III. EXPERIMENTAL ANALYSIS OF SHELLBAG INFORMATION
UPDATING
The main objective of this section is to explore how
Windows 10 stores and modifies Shellbags, with particular
emphasis on when Shellbag content is modified by what user
actions. In each experiment ShellBagsView [2] and
RegEdit[4], the replacement for RegMon [3] which was used
by Zhu, Glayshev, and James [1], will be run to monitor
changes to the Shellbag section of the registry. Experiments
listed below will be a furtherance of research previously
conducted Zhu, Gladyshev, and James [1], and of research
conducted by Bennett [5], a co-author of this paper. The
research reference is unpublished and will be provided to the
instructor as a supplement instead of as a standard reference.
Initial Setup:
As a note: this data is valid for all new folders which have
been opened and closed and re-opened on the desktop. It is not
2. unique to a single folder. It is also the default desktop folder
Shellbag info for a non-customized new installation of
Windows 10, as run in a virtual machine. Meaning, if a folder
has any Shellbag settings differing from these on a “newly
created folder”, a user has manipulated the custom default
folder settings. This claim is made after the creation of multiple
folders on the desktop and a comparison of their Shellbag data.
Status before experiment:
Shellbag slot 6 was determined to be the Shellbag
associated with the primary folder to be used in this experiment
set.
Shellbag Slot 6:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6:
Name: (Default), Type: REG_SZ, Data: (value not set)
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6/shell:
(3 entries)
1) Name: (Default), Type: REG_SZ, Data: (value not set)
2) Name: KnownFolderDerivedFolderType, Type:
Reg_SZ, Data: {57807898-8C4F-4462-BB63-71042380B109}
3) Name: SniffedFolderType, Type: REG_SZ Data:
Generic
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6/shell /
5C4F28B5-F869-4E84-8E60-F11DB97C5CC7:
(13 entries)
1) (Default), Type: REG_SZ, Data: (value not set)
2) ColInfo, Type: REG_BINARY Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fd df df fd 10 00 00 00 00 00 00 00 00 00 00 00
04 00 00 00 18 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 0A 00 00 00 10 01 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0E 00 00 00 78 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 04 00 00 00 78 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0C 00 00 00 50 00 00 00
3) FFlags, Type: REG_DWORD Data: 0x41200011
4) GroupByDirection, Type: REG_DWORD, Data:
0x00000001
5) GroupByKey:FMTID, Type: REG_SZ, Data:
{00000000-0000-0000-0000-000000000000}
6) GroupByKey:PID, Type: REG_DWORD, Data:
0x00000000
7) GroupView, Type: REG_DWORD Data: 0x00000000
8) IconSize, Type: REG_DWORD Data: 0x00000010
9) LogicalViewMode, Type: REG_DWORD, Data:
0x00000001
10) Mode, Type: REG_DWORD, Data: 0x00000004
11) Rev, Type: REG_DWORD, Data: 0x00000000
12) Sort, Type: REG_BINARY, Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 30 F1 25 B7 EF 47 1A 10 A5 F1 02 60
8C 9E EB AC 0A 00 00 00 01 00 00 00
13) Vid, Type: REG_SZ, Data: {137E7700-3573-11CF-
AE69-08002B2E1262}
A. Experiment 1
Open a folder that currently has associated Shellbag
information and is located on the Desktop. Move a file from
the desktop into that folder.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first step in conducting this experiment was to
establish the contents of the Shellbag associated with the folder
in question. A folder was created on the desktop, it was opened
and closed and the the program ShellBagsView [2] was used to
document its metadata. The program RegEdit [4] was used to
determine the content of the associated Shellbag. Subsequently
the folder was opened and a file was moved from the desktop
into the folder. The Shellbag contents and Shellbag metadata
were then examined.
i. Log Analysis
ShellBagsView [2] recorded no change in data by the
moving of a file into the folder. RegEdit [4] reported the
contents of all sections of the Shellbag located at:
KEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6
which were compared to the initial conditions, and no change
was found. RegEdit [4] shows no change in the registry values
for this Shellbag.
B. Experiment 2
Close a folder that currently has associated Shellbag
information, into which a file has just been moved during its
current open session, and which is located on the Desktop.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
3. The first steps in conducting this experiment were
documented in experiment 1. ShellBagsView [2] was used to
document the metadata. The program RegEdit [4] was used to
determine the content of the associated Shellbag. Subsequently
the folder was closed. The Shellbag contents and Shellbag
metadata were then examined.
i. Log analysis:
The simple open and closing of the folder, without any
changes to its contents or its location, size, viewing options or
other, changes nothing associated with the Shellbag data.
C. Experiment 3
Move a file into a closed folder for which Shellbag info
already exists: Close a folder that currently has associated
Shellbag information, into which a file has just been
moved during its current open session, and which is
located on the Desktop.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first steps in conducting this experiment were
documented in experiments 1 and 2. ShellBagsView [2] was
used to document the metadata. The program RegEdit [4] was
used to determine the content of the associated Shellbag.
Subsequently the folder was closed. The Shellbag contents and
Shellbag metadata were then examined.
i. Log analysis
A review of the contents of ShellBagsView [2] shows no
change to the metadata of the associated Shellbag. RegEdit [4]
also shows no change to the contents of the associated
Shellbag. This was fully expected, as the moving of a file into
an open folder, and the subsequent closing of that folder,
indicated no impact of the Shellbag contents.
This does indicate that, if a suspect were to move a
collection of files into a folder without ever opening that
folder, that it is entirely possible that the folder would have no
associated Shellbag data. This undermines one of the current
theorized forensic Shellbag uses: the existence of a Shellbag
for a folder with certain contents being evidence towards the
knowledge of a user of the contents of that folder, and
conversely, the absence of such a Shellbag being evidence
against the knowledge of the folder’s contents.
D. Experiment 4
Move a folder into a folder. A folder with a file which was
located on the desktop was moved into an open folder,
which had a file in it, which was also located on the
desktop.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first steps in conducting this experiment were
documented in the previous experiments. ShellBagsView [2]
was used to document the metadata. The program RegEdit [4]
was used to determine the content of the associated Shellbag.
Subsequently the folder was closed. The Shellbag contents and
Shellbag metadata were then examined.
Specifically, the folder associated with Shellbag 6 was
dragged and dropped into the folder associated with Shellbag
5, which was open. Both folders originated on the Desktop.
Prior to this action, Shellbag 5 was identical to Shellbag 6
except for the file metadata.
i. Log analysis:
A new Shellbag was created, occupying Shellbag slot 8.
The contents will be reviewed below the analysis of the pre-
existing Shellbags in slots 5 and 6.
Shellbag slot 5:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5:
This is the folder into which a folder was moved. The
content window to the side, in ShellBagsView [2], contains the
same “Name: (Default), Type: REG_SZ, Data: (value not set)”
content as before the moving of the folder. However, a new
subsection of the Shellbag has been created: a subfolder called
“ComDlg”. It has a subfolder: 5C4F28B5-F869-4E84-8E60-
F11DB97C5CC7.
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5/ComDlg:
(1 entry):
1) Name: (Default), Type: REG_SZ, Data: (value not set)
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5/ComDlg/5
C4F28B5-F869-4E84-8E60-F11DB97C5CC7:
(11 entries)
1) (Default), Type: REG_SZ, Data: (value not set)
2) ColInfo, Type: REG_BINARY Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FD DF DF FD 10 00 00 00 00 00 00 00 00 00 00 00
04 00 00 00 18 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 0A 00 00 00 10 01 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0E 00 00 00 78 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 04 00 00 00 78 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0C 00 00 00 50 00 00 00
3) FFlags, Type: REG_DWORD, Data: 0x00000001 *this
is different
4. 4) GroupByDirection, Type: REG_DWORD, Data:
0x00000001
5) GroupByKey:FMTID, Type: REG_SZ, Data:
{00000000-0000-0000-0000-000000000000}
6) GroupByKey:PID, Type: REG_DWORD, Data:
0x00000000
7) GroupView, Type: REG_DWORD Data: 0x00000000
8) IconSize, Type: REG_DWORD Data: 0x00000010
9) LogicalViewMode, Type: REG_DWORD, Data:
0x00000001
10) Mode, Type: REG_DWORD, Data: 0x00000004
11) Sort, Type: REG_BINARY, Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 30 F1 25 B7 EF 47 1A 10 A5 F1 02 60
8C 9E EB AC 0A 00 00 00 01 00 00 00
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5/shell:
(3 entries)
1) Name: (Default), Type: REG_SZ, Data: (value not set)
2) Name: KnownFolderDerivedFolderType, Type:
Reg_SZ, Data: {57807898-8C4F-4462-BB63-71042380B109}
3) Name: SniffedFolderType, Type: REG_SZ Data:
Generic
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5/shell/5C4F
28B5-F869-4E84-8E60-F11DB97C5CC7:
(13 entries)
1) (Default), Type: REG_SZ, Data: (value not set)
2) ColInfo, Type: REG_BINARY, Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FD DF DF FD 10 00 00 00 00 00 00 00 00 00 00 00
04 00 00 00 18 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 0A 00 00 00 10 01 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0E 00 00 00 78 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 04 00 00 00 78 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0C 00 00 00 50 00 00 00
3) FFlags, Type: REG_DWORD Data: 0x41200011
4) GroupByDirection, Type: REG_DWORD, Data:
0x00000001
5) GroupByKey:FMTID, Type: REG_SZ, Data:
{00000000-0000-0000-0000-000000000000}
6) GroupByKey:PID, Type: REG_DWORD, Data:
0x00000000
7) GroupView, Type: REG_DWORD Data: 0x00000000
8) IconSize, Type: REG_DWORD Data: 0x00000010
9) LogicalViewMode, Type: REG_DWORD, Data:
0x00000001
10) Mode, Type: REG_DWORD, Data: 0x00000004
11) Rev, Type: REG_DWORD, Data: 0x00000000
12) Sort, Type: REG_BINARY, Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 30 F1 25 B7 EF 47 1A 10 A5 F1 02 60
8C 9E EB AC 0A 00 00 00 01 00 00 00
13) Vid, Type: REG_SZ, Data: {137E7700-3573-11CF-
AE69-08002B2E1262}
Shell/bags/6:
The content of the Shellbag in slot 6 was unchanged by this
action.
Shell/bags/8:
A new Shellbag was created for slot 8 by this action. It is a
different type of Shellbag from the Shellbags for actual folders.
Its contents and potential data slots are less and fewer than the
previous Shellbag types we have examined to this point.
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/8:
(1 entry )
Name: (Default), Type: REG_SZ, Data: (value not set)
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/8/Shell:
(2 entries)
1) Name: (Default), Type: REG_SZ, Data: (value not set)
2) Name: KnownFolderDerivedFolderType, Type:
Reg_SZ, Data: {57807898-8C4F-4462-BB63-71042380B109}
i. Log analysis:
Of Note: The fields “Rev” and “Vid” are not present in the
subfolder of ComDlg, and its field “FFlags” has a different
data value than the same field in the otherwise comparable
subfolder:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/5/shell /
5C4F28B5-F869-4E84-8E60-F11DB97C5CC7.
This may indicate that a ComDlg folder is unique to a
folder that contains another folder. Therefore, its presence
indicates the presence of a folder within the folder. It does not
seem to contain any indication of the identity of the nested
folder, however.
The creation of an additional Shellbag occupying its own
slot, slot 8 in this case, is also interesting. Future research can
examine the relationship of the different types of Shellbags to
the folder and subfolder arrangement in the file system.
5. E. Experiment 5
The folder associated with Shellbag 5 was closed, to trigger
any Shellbag content changes that might have been cached to
wait until folder close to update, as was suggested by previous
research.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first steps in conducting this experiment were
documented in the previous experiments. ShellBagsView [2]
was used to document the metadata. The program RegEdit [4]
was used to determine the content of the associated Shellbag.
Subsequently the folder was closed. The Shellbag contents and
Shellbag metadata were then examined.
i. Log analysis:
Shell/bags/5: No content of this Shellbag has changed.
Shell/bags/6: No content of this Shellbag has changed.
Shell/bags/8: No content of this Shellbag has changed .
This indicates that upon the moving of a folder into another
folder, all the Shellbag content modifications are made
immediately, and are not cached for update upon closing, as
has been seen in previous research.
F. Experiment 6
The folder associated with Shellbag 5 was reopened, and
the folder associated with Shellbag 6 was removed. This was
accomplished by dragging and dropping the folder from the
folder and back onto the desktop.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first steps in conducting this experiment were
documented in the previous experiments. ShellBagsView [2]
was used to document the metadata. The program RegEdit [4]
was used to determine the content of the associated Shellbag.
Subsequently the folder was closed. The Shellbag contents and
Shellbag metadata were then examined.
i. Log Analysis
Shell/bags/5: No content of this Shellbag has changed.
Shell/bags/6: No content of this Shellbag has changed.
Shell/bags/8: No content of this Shellbag has changed.
Even though the content of the Shellbags was updated upon
moving a folder to be within another folder, prior to closing the
folder, this removal of the folder from within another folder
produces no Shellbag content change. This means that a review
of the Shellbags contents at this point, if compared to the
results from experiment 5, could indicate to an investigator that
there is a folder present in the parent folder, when it no longer
resides there.
G. Experiment 7
The folder associated with Shellbag 5, from which the
folder associated with Shellbag 6 has been removed, was
closed. This was to try to trigger any Shellbag content updates,
as was indicated might happen by previous research. The
associated Shellbag contents for Shellbags 5, 6, and 8 were
reviewed
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first steps in conducting this experiment were
documented in the previous experiments. ShellBagsView [2]
was used to document the metadata. The program RegEdit [4]
was used to determine the content of the associated Shellbag.
Subsequently the folder was closed. The Shellbag contents and
Shellbag metadata were then examined.
i. Log analysis:
Shell/bags/5: No content of this Shellbag has changed.
Shell/bags/6: No content of this Shellbag has changed.
Shell/bags/8: No content of this Shellbag has changed.
The absence of any change in the Shellbag files affected by
the move of this folder, even after the closing of the parent
folder, means that their current contents are identical to their
contents when the folder was still located within the other
folder. This means that the presence of Shellbag 8 and of the
ComDlg subfolder do not indicate a current status of a folder
system, but only that a parent folder system existed at one time.
IV. ANALYSIS OF CAUSALITY BETWEEN USER ACTIONS AND
SHELLBAG INFORMATION UPDATING
Previous research has indicated that Windows 10 Shellbag
updating has moved, since Windows XP, to a strictly post-
closing process [5]. These results seem to indicate that,
although that is applicable to the actions evaluated in the
previous research, Shellbag content updating for the actions
evaluated here, closing of a folder has no impact on the
contents of the Shellbag; see experiments 2, 5, and 7. Instead,
the only action evaluated here which had any impact on
Shellbag content was the moving of a folder into another
folder, in experiment 4.
Of serious note is the standardized Shellbag format that is
provided at the beginning of this paper, under the content for
Shellbag 6. That data is valid for all new folders which have
been opened and closed and re-opened on the desktop for a
6. non-customized new installation of Windows 10, as run in a
virtual machine. It is not unique to a single folder. Meaning, if
a folder has any Shellbag settings differing from these on a
“newly created folder”, a user has manipulated the custom
default folder settings, or the folder metadata, and also perhaps
the Shellbag metadata, has been modified to make it look like a
“newly created folder,” when it has actually been manipulated
somehow.
Also notable is that the moving of files into folder, whether
they are open or closed, has no impact on Shellbag content.
Pertinent to investigations, this means a number of things:
1) A casual, not particularly computer-savvy, user might
have extensive knowledge of the contents of a folder without
the existence of a Shellbag for that folder, if the user moved a
collection of files into the folder without ever opening the
folder. This can be done using the drag and drop method.
2) Malware, a malicious user, or another agent might
easily hide information from an investigator who limits content
searches to folders which have Shellbags. This field is not yet
well enough understood to begin utilizing the limited
information available to reduce an investigative workload.
3) Just because the Shellbag metadata has not updated
during the scope of the investigative period does not mean that
the associated folder structure and folder contents has not
changed during that time.
4) Although there was great hope that Shellbags might
prove to be a powerful exonerating or evidentiary tool, it might
be that their presence, or absence, and their metadata will
prove to be much less impactful in the forensic field than was
first indicated.
Future research in this area should include examining the
registry updates involved in changing windows viewing, size,
ordering, and other settings controlled by Shellbags. It should
also evaluate the different types of Shellbags, and the Shellbag
contents, that are created in the registry by folders created in
different parts of the system: i.e. not just on the desktop. It
should examine the relationship of the Shellbag content to the
folder parent/child structure, to see if any correlations can be
drawn from an existing Shellbag content and folder structure to
a previously existing folder structure. For example: if a suspect
were trying to obscure information by dividing it into various
folders, which were structured in a certain way, and then
disorganizing the folders, could the previous folder structure be
reconstructed using Shellbag structure and content? Future
research in this area should also evaluate Shellbag contents and
structure for a system in which multiple profiles have access to
the same folders.
REFERENCES
[1] Y. Zhu, P. Gladyshev, and J. James, (2009) “Using shellbag information
to reconstruct user activities,” [online]. Available
www.dfrws.org/2009/proceedings/p69-zhu.pdf
[2] ShellBagsView, V1.16 NirSoft products, www.nirsoft.net
[3] RegMon – M. Russinovich and B. Cogswell [online], no longer
available or usable on modern Windows systems.
[4] RegEdit- Windows Utility, included standard with Microsoft Windows.
[5] A. Bennett, (2014) “Application of Windows XP Shellbag
Analysis Techniques to Windows 10 Platform,”
7. non-customized new installation of Windows 10, as run in a
virtual machine. It is not unique to a single folder. Meaning, if
a folder has any Shellbag settings differing from these on a
“newly created folder”, a user has manipulated the custom
default folder settings, or the folder metadata, and also perhaps
the Shellbag metadata, has been modified to make it look like a
“newly created folder,” when it has actually been manipulated
somehow.
Also notable is that the moving of files into folder, whether
they are open or closed, has no impact on Shellbag content.
Pertinent to investigations, this means a number of things:
1) A casual, not particularly computer-savvy, user might
have extensive knowledge of the contents of a folder without
the existence of a Shellbag for that folder, if the user moved a
collection of files into the folder without ever opening the
folder. This can be done using the drag and drop method.
2) Malware, a malicious user, or another agent might
easily hide information from an investigator who limits content
searches to folders which have Shellbags. This field is not yet
well enough understood to begin utilizing the limited
information available to reduce an investigative workload.
3) Just because the Shellbag metadata has not updated
during the scope of the investigative period does not mean that
the associated folder structure and folder contents has not
changed during that time.
4) Although there was great hope that Shellbags might
prove to be a powerful exonerating or evidentiary tool, it might
be that their presence, or absence, and their metadata will
prove to be much less impactful in the forensic field than was
first indicated.
Future research in this area should include examining the
registry updates involved in changing windows viewing, size,
ordering, and other settings controlled by Shellbags. It should
also evaluate the different types of Shellbags, and the Shellbag
contents, that are created in the registry by folders created in
different parts of the system: i.e. not just on the desktop. It
should examine the relationship of the Shellbag content to the
folder parent/child structure, to see if any correlations can be
drawn from an existing Shellbag content and folder structure to
a previously existing folder structure. For example: if a suspect
were trying to obscure information by dividing it into various
folders, which were structured in a certain way, and then
disorganizing the folders, could the previous folder structure be
reconstructed using Shellbag structure and content? Future
research in this area should also evaluate Shellbag contents and
structure for a system in which multiple profiles have access to
the same folders.
REFERENCES
[1] Y. Zhu, P. Gladyshev, and J. James, (2009) “Using shellbag information
to reconstruct user activities,” [online]. Available
www.dfrws.org/2009/proceedings/p69-zhu.pdf
[2] ShellBagsView, V1.16 NirSoft products, www.nirsoft.net
[3] RegMon – M. Russinovich and B. Cogswell [online], no longer
available or usable on modern Windows systems.
[4] RegEdit- Windows Utility, included standard with Microsoft Windows.
[5] A. Bennett, (2014) “Application of Windows XP Shellbag
Analysis Techniques to Windows 10 Platform,”
![Shellbag Content Analysis in Windows 10 Platform
Anna Bennett, David Langford – Co-Authors
Department of Computer Science
Sam Houston State University
Huntsville, Texas, USA
Abstract—Microsoft Windows XP has established techniques
and tools for obtaining and interpreting “Shellbag” information.
This paper takes those techniques, modifies and applies them to a
virtual instance of the beta release of Windows 10 to determine
the forensic applicability of Shellbag content analysis.
Keywords—Shellbags; Shellbag; Shellbag Content; Registry;
Analysis; Registry Keys; Windows 10; Digital Forensics
I. INTRODUCTION
Microsoft Windows XP has established techniques and
tools for obtaining and interpreting “Shellbag” information.
Shellbag files have serious potential implications in tracking
the activities of the user of a computer as they contain
information that controls certain settings of Windows Explorer
windows, such as size, location, and content view type.
Determining how and whether these techniques will continue
to be effective in Windows 10 will be of substantial forensic
value in determining user activities through the use of Shellbag
analysis. This paper will look at the techniques and analyses
by Zhu, Gladyshev, and James [1], and modify their techniques
for Shellbag analysis in a virtual instance of the Windows 10
beta release. As a note, because this analysis is being
performed on a virtual instance of a beta release, some things
might vary between the findings listed and findings on a future
copy, or one that is not a virtual instance. The primary
reference of this paper is by Zhu, Gladyshev, and James [1].
Secondary work was performed by the co-author, Bennett [5],
directly applying their experiments to Windows 10. Their work
was the inspiration for this paper and consequently this paper
should be viewed as an extension of their paper to the
Windows 10 platform and as directly inspired future research
along the lines of the previous research. This paper, however,
instead of focusing on any registry modification, observes
specifically how Shellbag contents are modified by specific
user actions. Information for Shellbags stored in the registry is
not in the same location in Windows 10. The keys to look for
are:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell
A. Contribution
A method is proposed by Zhu, Gladyshev, and James [1].
Their method has subsequently been applied with comparable
experiments to the Windows 10 platform [5]. That method will
be modified and applied to the Windows 10 platform in a
wider variety of situations, and the results analyzed for their
applicable utility. This paper is more concerned with analysis
of the contents of the Shellbags following various activities
than with the creation and modification of registry keys.
B. Organization
This paper is organized as follows: Section 2 gives a brief
overview of the information contained in Shellbags and the
potential importance of Shellbags in digital forensics. Section 3
gives an overview of the experiments with direct analysis of
their impact. Section 4 discusses the connection between user
actions and Shellbag information updates. Section 5 concludes
and discusses the impact of this information.
II. OVERVIEW OF SHELLBAG INFORMATION
Shellbag information exists in registry keys and contains
information about the settings of Windows Explorer windows
that have been opened. The relevance of this is that, since
these keys are themselves files, they contain metadata about
when the Shellbag file was created, last accessed, modified,
etc. In fact, a Shellbag will only exist if the Windows Explorer
process has used a window to access the folder in question.
This is particularly useful in determining whether a user
actually accessed content on the computer, as opposed to its
existence due to a malicious download. Shellbag analysis can
be used in conjunction with more commonly used digital
forensics techniques in establishing a timeline for certain
activities on a computer by specific user profiles. In
conjunction with standard investigative work, they could
perhaps provide evidence for or against an alibi, depending on
if and when certain actions were taken on the computer.
III. EXPERIMENTAL ANALYSIS OF SHELLBAG INFORMATION
UPDATING
The main objective of this section is to explore how
Windows 10 stores and modifies Shellbags, with particular
emphasis on when Shellbag content is modified by what user
actions. In each experiment ShellBagsView [2] and
RegEdit[4], the replacement for RegMon [3] which was used
by Zhu, Glayshev, and James [1], will be run to monitor
changes to the Shellbag section of the registry. Experiments
listed below will be a furtherance of research previously
conducted Zhu, Gladyshev, and James [1], and of research
conducted by Bennett [5], a co-author of this paper. The
research reference is unpublished and will be provided to the
instructor as a supplement instead of as a standard reference.
Initial Setup:
As a note: this data is valid for all new folders which have
been opened and closed and re-opened on the desktop. It is not](https://image.slidesharecdn.com/73312789-737f-4245-ab1a-fafbdb1566ef-150611154448-lva1-app6891/85/researchpaper-complete-1-320.jpg)
![unique to a single folder. It is also the default desktop folder
Shellbag info for a non-customized new installation of
Windows 10, as run in a virtual machine. Meaning, if a folder
has any Shellbag settings differing from these on a “newly
created folder”, a user has manipulated the custom default
folder settings. This claim is made after the creation of multiple
folders on the desktop and a comparison of their Shellbag data.
Status before experiment:
Shellbag slot 6 was determined to be the Shellbag
associated with the primary folder to be used in this experiment
set.
Shellbag Slot 6:
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6:
Name: (Default), Type: REG_SZ, Data: (value not set)
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6/shell:
(3 entries)
1) Name: (Default), Type: REG_SZ, Data: (value not set)
2) Name: KnownFolderDerivedFolderType, Type:
Reg_SZ, Data: {57807898-8C4F-4462-BB63-71042380B109}
3) Name: SniffedFolderType, Type: REG_SZ Data:
Generic
HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6/shell /
5C4F28B5-F869-4E84-8E60-F11DB97C5CC7:
(13 entries)
1) (Default), Type: REG_SZ, Data: (value not set)
2) ColInfo, Type: REG_BINARY Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fd df df fd 10 00 00 00 00 00 00 00 00 00 00 00
04 00 00 00 18 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 0A 00 00 00 10 01 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0E 00 00 00 78 00 00 00 30 F1 25 B7 EF 47 1A 10
A5 F1 02 60 8C 9E EB AC 04 00 00 00 78 00 00 00
30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC
0C 00 00 00 50 00 00 00
3) FFlags, Type: REG_DWORD Data: 0x41200011
4) GroupByDirection, Type: REG_DWORD, Data:
0x00000001
5) GroupByKey:FMTID, Type: REG_SZ, Data:
{00000000-0000-0000-0000-000000000000}
6) GroupByKey:PID, Type: REG_DWORD, Data:
0x00000000
7) GroupView, Type: REG_DWORD Data: 0x00000000
8) IconSize, Type: REG_DWORD Data: 0x00000010
9) LogicalViewMode, Type: REG_DWORD, Data:
0x00000001
10) Mode, Type: REG_DWORD, Data: 0x00000004
11) Rev, Type: REG_DWORD, Data: 0x00000000
12) Sort, Type: REG_BINARY, Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 30 F1 25 B7 EF 47 1A 10 A5 F1 02 60
8C 9E EB AC 0A 00 00 00 01 00 00 00
13) Vid, Type: REG_SZ, Data: {137E7700-3573-11CF-
AE69-08002B2E1262}
A. Experiment 1
Open a folder that currently has associated Shellbag
information and is located on the Desktop. Move a file from
the desktop into that folder.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.
The first step in conducting this experiment was to
establish the contents of the Shellbag associated with the folder
in question. A folder was created on the desktop, it was opened
and closed and the the program ShellBagsView [2] was used to
document its metadata. The program RegEdit [4] was used to
determine the content of the associated Shellbag. Subsequently
the folder was opened and a file was moved from the desktop
into the folder. The Shellbag contents and Shellbag metadata
were then examined.
i. Log Analysis
ShellBagsView [2] recorded no change in data by the
moving of a file into the folder. RegEdit [4] reported the
contents of all sections of the Shellbag located at:
KEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsShell/bags/6
which were compared to the initial conditions, and no change
was found. RegEdit [4] shows no change in the registry values
for this Shellbag.
B. Experiment 2
Close a folder that currently has associated Shellbag
information, into which a file has just been moved during its
current open session, and which is located on the Desktop.
This experiment was designed to observe user action
associated with Desktop folders [1] and their resulting Registry
changes in their associated Shellbag folders. The experiment
performed for the purposes of this paper seeks to observe the
changes to the contents of the Shellbag folder and associated
Metadata, and compare those observations to the results of
similarly designed experiments to determine forensically useful
information.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)