Analysis of Shellbags is extremely useful method of determining what file or folder actions have been taken on a host by a specific user.

What are Shellbags?

Shellbags are set of registry keys which contain details about a user’s viewed folder; such as its size, position, and icon. This means that all directory traversal is tracked and maintained in the registry.

The shellbags provide timestamps, contextual information, and show the access of directories and other resources, potentially…

Chris Eastwood

Incident Response, Forensic Investigations, and Threat Hunting professional, writing things to learn them better.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store