Incident Response with EZTools - Shellbags Forensics
Shellbag Explorer is bundled with EZTools. This tool is a GUI for viewing Shellbag data.
Shellbags are a set of registry keys which contain details about a user’s viewed folder, such as its size, position, and icon. This means that all
directory traversal is tracked and maintained in the registry.
Windows creates a number of additional artifacts when storing these properties
in the registry, providing the investigator with valuable information about the suspect’s folder and browsing history, as well as details for any folder that might no longer exist on a system. (due to deletion, or
being located on a removable device.)
During an incident, adversaries may delete or open a directory, and being to
track their actions through these artifacts can help the responder to retrieve evidence whether the directory was opened or deleted.
Related Blog Post:
On Windows system, this can be found at: C:\Users\<users>\App Data\Local\Microsoft\Windows\UserClass.DAT
On Windows registry, this can be found at: HKEY_CLASSES_ROOT\Local Settings\SOFTWARE\Microsoft\Windows\Shell
Below is the Shellbag Explorer user interface: