## Introduction Shellbag is an artifact proving folder access traces in a digital forensic investigation. This artifact is not a file format but in a registry format. So it would be helpful if you read articles tagged with [[Registry]]. Shellbag provides user data interacting with the Windows explorer. Let’s talk about the specifics below. It might not be touching by simply getting informations about folder access history. By understanding with real world case, it would be more helpful understanding what a Shellbag artifact is. > [!NOTE] Is it all same regardless of Windows Version? > > Shellbag artifact was first shown in Windows XP. The location of data might vary depending on the Window version but the concept and the function isn’t different. Therefore this article will be explaining Shellbag artifact in windows 10 which is most commonly used. ## Path ``` C:\Users\%UserName%\NTUSER.DAT (Registry Hive File) ㄴ\\Software\Microsoft\Windows\Shell\BagMru ㄴ\\Software\Microsoft\Windows\Shell\Bags C:\Users\%UserName%\USRCLASS.DAT ㄴ\\Software\Microsoft\Windows\Shell\BagMru ㄴ\\Software\Microsoft\Windows\Shell\Bags ``` The data is basically the interaction with user, so the data is saved in `NTUSER.DAT`file. To look into key-value pairs in the registry hive file, you have multiple options. Use registry editor (regedit.exe) or other free tools found on the internet. When viewed by registry tool, structures of directories and key-value pairs will be found. ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-02-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_3.41.49.png]] ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-02-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_3.32.06.png]] ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-02-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_3.30.16.png]] ## Data Things such as what kind of data is in the artifact are important in a forensic analysis, but it is equally important when and why the artifact is updated. So we will initially find out why Shellbag data is updated. After discovering the update factors, we will talk about certain data and how it could be used in which perspective. ### Data Creation Rule * Folder traversal using windows explorer * Viewing folders with windows explorer * Creating folders with windows explorer * Moving, Copying folders with windows explorer * Deleting files with windows explorer * Modifying the location or size of windows explorer window * Editing file/folder properties with windows explorer * Call of GetOpenFileName API * Change of view settings via windows explorer - Sort Order Change ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-02-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_4.35.22.png]] - Layout Change ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-02-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_4.31.00.png]] ### BagMRU Under BagMRU directory, there are numbered folders. BagMRU which is the root directory is the Desktop directory. You might confuse that the subkeys of the BagMRU are sub-directories of Desktop which is not the fact. Shellbags having Directory shell type is the sub directory of Desktop. But if the type is Root Folder, the absolute path for the folder can be generated starting from the path given in the Root Folder. > [!Question] Is the subkey of BagMRU generated endlessly? > As your expectations, they are not. > proven by experiments subkeys are indexed from 0 to 499 so 500 is the maximum number of keys. The binary data is called a `Shell Item`. Let’s see how we can extract informations from Shell items by analyzing its structure. > [!Tip] MEGA Tips > Values related with structures of artifact or filesystem are already explained by person named Joachim Metz. So keep in mind that when you have to look up a binary structure of an artifact or filesystem, it is a excellent reference. > Even this article referenced structures in the link below. Make sure that is not a copy or a summary. Do some additional experiments like this article. > [!info] libfwsi/Windows Shell Item format.asciidoc at main · libyal/libfwsi > Library to access the Windows Shell Item format. Contribute to libyal/libfwsi development by creating an account on GitHub. > [https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc](https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc) Shell Item structure is consisted depending on its type descriptor. The format is not uniformed so there must be different structures for each descriptors. This article will handle only shell items that are frequently used that has informations about directories. **General Structure** | Offset | Size | Description | | | ------ | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --- | | 0x00 | 0x02 | Shell Item Size | | | 0x02 | 0x01 | Directory Type Descriptor <br>- 0x00 : Unknown <br>- 0x01 : Unknown <br>- 0x14 : Virtual Directory (WSL, Control Panel, etc) <br>- 0x17 : Unknown <br>- 0x1E : CLSID_ShellDesktop <br>- 0x1F : Root Directory shell item <br>- 0x2X : Volume Shell item <br>- 0x3X : File entry shell item <br>- 0x4X : Network location shell item <br>- 0x52 : Compressed folder shell item <br>- 0x61 : URI shell itemm <br>- 0x70 : Control Panel Task ( Control Panel was found to be 0x14 ) | | | 0x03 | - | Shows variable forms depending on practical data, directory type descriptor | | | - | - | distinguishes its end by 0x0000 in [ItemID](https://learn.microsoft.com/en-us/windows/win32/api/shtypes/ns-shtypes-itemidlist)(16bit) List | | **Root Directory Shell Item(0x14)** Its a Shellbag for directories in the file explorers such as Documents, My Computer, Recycle Bin, etc… |Offset|Size|Description| |---|---|---| |0x00|0x02|Shell Item size| |0x02|0x01|Directory Type descriptor ( 0x14)| |0x03|0x01|Sort Index <br> <br>- 0x00 : Internet Explorer <br>- 0x42 : Libraries <br>- 0x44 : Users <br>- 0x48 : My Documents <br>- 0x50 : My Computer <br>- 0x58 : My Network Places/Network <br>- 0x60 : Recycle Bin <br>- 0x68 : Internet Explorer <br>- 0x70 : Unknown <br>- 0x80 : My Games| |0x04|0x10|[Shell Folder Identifiers](https://github.com/libyal/libfwsi/wiki/Shell-Folder-identifiers)| - **Other Keys** - MRUListEx this is value for access orders. They are given in 4byte format and the last 4 byte is consisted of 0xFFFFFFFF - NodeSlot Key value for a single MRU NodeSlot matches with Bags sub-keys - NodeSlots Key values only found in BagMRU which is the root folder. They tend to have repeated 0x02 and no other cases were discovered. The 0x02 does not has a certain meanings but the number of 0x02 is the point. It was found that number of 0x02 increased when sub-folders were created. Also when shellbag was modified. ### Bags Keys under Bags folder slightly differs from BagMRU because the attribute values are only saved in the Leaf Node Key. Let’s see the structure and the information gained from each keys. A Bag literally matches with a directory. So each Key(folder) under the Bag folder is a directory respectively, and metadata is stored in the SubKey. There are 2 ways of each Bag is formed. One is the “Shell” method used by windows explorer and the other is “ComDlg” method called by opening or saving certain file or folders. Depending on each methods there will be Shell or ComDlg directory. - **Key Value** - **ColInfo** As inferred from its name, ColInfo is about options shown in the windows file explorer. As given in the image below, there are specific options, but not all of them are shown. Only items selected to be shown in the options are given in the options. ![[Untitled 26.png]] - **FFlags** They have `1092616193(0x41200001)` as its initial value. By changing its value, the settings such as sort options were changed. However no exact meaning for the FFlag value were found. It will be updated in the future. ![[Untitled 27.png]] - **GroupByDirection** When this value is set(`1` or `0x00000001`) items are sorted in ascending orders. If unset(`-1` or `0xffffffff`) items are sorted in descending orders. - **GroupByKey:FMTID** FMTID values use GUID formats. If there is no options chosen, which is the default setting every value will be `0`. By changing its settings such as clicking on “sort methods” changed the value. Tables for GroupByKey was also not found. It will be updated in the future. ![[Untitled 28.png]] - **GroupByKey:PID** GroupByKey:PID uses hex values and if values for the setting are saved using PID values. Types of values are in the image below. ![[Untitled 29.png]] There are numerous types of items, but only items checked on default are given in the table. | PID | Description | | ---- | -------------------------- | | 0x04 | Types | | 0x05 | Tags | | 0x0A | Name | | 0x0C | Size | | 0x0D | Date | | 0x0E | Modified Time | | 0x0F | Creation Time | - **GroupView** Could be easily confused with GroupByKey because of its name. But it is a field reserved for flag values depending on its categorization method. Null value (`0x00000000`) will be GroupByKey value if no options are designated. If any kind of value is selected, GroupByKey will have `0xFFFFFFFF` as its value. * **IconSize** Very intuitive. IconSize contains size of icon. Generally used icon size is given in the table below. Each icon unit is pixel. |Icon|Size| |---|---| |Extra Large|256| |Large|96| |Normal|48| |Small|16| |Brief|16| |Detail|16| |Tile|48| |Contents|32| ![[Untitled 30.png]] - **LogicalViewMode** LogicalViewMode is an ID value for a view method. - **Mode** ID value for a view method - **Rev** Rev is a shortened meaning for Revision. Therefore the Rev will be updated when shellbags for a certain folder is updated. Actually, Rev values were not changed even when shellbags were updated. - **Sort** For ascending option the value is set `0x00000001` and for the descending option the value will be set `0xffffffff`. Similar with GroupByDirection. - **Vid** Vid is a GUID value depending on its view mode. A GUID value is given when options such as `View(V)` is selected. Actually there are many other keys that check this value. So consider Vid as a Cross-Check option. ## Analysis Tools > [!info] ShellBags Explorer | SANS Institute > Download ShellBags Explorer, built by SANS Instructor Eric Zimmerman, a GUI for browsing shellbags data. > [https://www.sans.org/tools/shellbags-explorer/](https://www.sans.org/tools/shellbags-explorer/) ## Conclusion It was bunch of information about shellbag artifact. This was probably the longest article ever in this blog. One thing to keep in mind was that there are more informations in shellbag than expected, and the way it stores informations might be unfamiliar. Through this article we learned how to retrieve data via shellbag and how the data was stored. There are so many informations and the structure is complex so it is considered difficult when registry values are solely provided without parsing tools. But is possible to get necessary data by being aware of its basic structures which seems pretty important. There might be insufficient numbers of data even if you use parsing tools for real-life cases. But it was worthy knowing such informations were in shellbag artifacts. In the meanwhile most important information would be the absolute path of a directory that user have accessed.