Sign up to save your podcasts
Or
Share Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Practical ShellBag Forensics Workflow
- How ShellBags function as registry-based artifacts that record user folder interaction and view preferences.
- The full investigative cycle: evidence creation, acquisition, analysis, and validation.
- Registry Hive Acquisition
- Creating controlled user activity (e.g., test folders) to deliberately generate ShellBag evidence.
- Exporting NTUSER.DAT from the root of the user profile and USRCLASS.DAT from the AppData directory using FTK Imager.
- Required system configuration steps, including enabling hidden files and protected operating system files, to access locked registry hives.
- Interpreting ShellBag Timestamps
- Understanding the forensic meaning of Last Write Time, which reflects either the first folder access or a change in folder view settings.
- Differentiating embedded MAC times (Created, Modified, Accessed) as historical snapshots captured when the ShellBag entry was first generated.
- Correctly handling UTC/GMT timestamps and applying local time offsets to ensure accurate forensic timelines.
- Validation Through Controlled Experiments
- Demonstrating that changing folder view options (such as switching to large icons) updates the Last Write Time without altering embedded MAC timestamps.
- Recognizing normal conditions where certain directories—such as system folders or hard-coded shortcuts—do not contain MAC times.
- Evidence Location Awareness
- Knowing where user-specific ShellBag data resides within the Windows registry structure.
- Understanding how these locations support user attribution and timeline reconstruction during forensic investigations.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Practical ShellBag Forensics Workflow
- How ShellBags function as registry-based artifacts that record user folder interaction and view preferences.
- The full investigative cycle: evidence creation, acquisition, analysis, and validation.
- Registry Hive Acquisition
- Creating controlled user activity (e.g., test folders) to deliberately generate ShellBag evidence.
- Exporting NTUSER.DAT from the root of the user profile and USRCLASS.DAT from the AppData directory using FTK Imager.
- Required system configuration steps, including enabling hidden files and protected operating system files, to access locked registry hives.
- Interpreting ShellBag Timestamps
- Understanding the forensic meaning of Last Write Time, which reflects either the first folder access or a change in folder view settings.
- Differentiating embedded MAC times (Created, Modified, Accessed) as historical snapshots captured when the ShellBag entry was first generated.
- Correctly handling UTC/GMT timestamps and applying local time offsets to ensure accurate forensic timelines.
- Validation Through Controlled Experiments
- Demonstrating that changing folder view options (such as switching to large icons) updates the Last Write Time without altering embedded MAC timestamps.
- Recognizing normal conditions where certain directories—such as system folders or hard-coded shortcuts—do not contain MAC times.
- Evidence Location Awareness
- Knowing where user-specific ShellBag data resides within the Windows registry structure.
- Understanding how these locations support user attribution and timeline reconstruction during forensic investigations.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy