ShellBags Artifacts

Windows Forensics: Shellbags - System Browsing Artifacts

Lab Requirements


In this demo, we will explore different ways how to analyze and investigate shellbags artifacts.

We will be creating a directory named “Malicious” to perform this task.


In this demo, we will tackle the first approach on how to extract registry hives on a Windows system.

We will be using a tool called “Windows Live Response” with the “Triage” option to gather all volatile data.

After successful execution, a directory named “Endpoint Artifacts” will be created which contains the registry hives that can be used later to extract shellbags entries.


Inside LiveResponseData > CopiedFiles > Registry directory we expect to see these Registry Hives:

      • <User>_NTUSER.dat
      • <User>_USRCLASS.dat

Next, using MiTec Windows Registry Recovery tool we can inspect the extracted hives for shellbags entries.

Shellbags Registry Location can be found at:

    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • By using MiTec Windows Registry Recovery tool, we now able to check shellbags entries and in this case we can see our “malicious” directory in Analyst_USRCLASS.dat registry hive.
  • Learn and Download MiTec Registry Recovery:

In this approach, we will extract shellbags entries from the registry of the live system.

To do this, we will be using SBECmd.exe from EZ tool.

Command: SBECmd.exe -l –csv <target_dir>

What the command does is it process the registry of the live system to look for shellbag entries then dumping the output inside the declared target directory in csv format.

Learn and Download SBECmd here:

After successful execution, we use Timeline Explorer from EZ tools to view the extracted artifacts.

In this case, we can see our “Malicious” directory with its details such as: