Incident Response with EZTools - Shellbags Forensics

SBECmd is bundled with EZTools. This tool is a ShellBags Explorer, a command line edition for exporting Shellbag data.

Shellbags are a set of registry keys which contain details about a user’s viewed folder, such as its size, position, and icon. This means that all directory traversal is tracked and maintained in the registry.

Windows creates a number of additional artifacts when storing these properties in the registry, providing the investigator with valuable information about the suspect’s folder and browsing history, as well as details for any folder that might no longer exist on a system. (due to deletion, or being located on a removable device.)

During an incident, adversaries may delete or open a directory, and being to track their actions through these artifacts can help the responder to retrieve evidence whether the directory was opened or deleted.

Related Blog Post:

On a Windows system, this can be found at: C:\Users\<users>\App Data\Local\Microsoft\Windows\UserClass.DAT

On a Windows registry, this can be found at: HKEY_CLASSES_ROOT\Local Settings\SOFTWARE\Microsoft\Windows\Shell

Below is the SBECmd options and arguments





Shellbag Forensics

Shellbags-Part 1

Shellbags-Part 2