Windows ShellBag Parser (sbag)

sbag is a Windows registry parser that targets the Shellbag subkeys to pull useful directory and file artifacts to help identify user activity. There are binaries available for Windows, Linux and Mac OS-X. The Windows version allows one to parse hives resident from a live system.

As background, the ShellBag information is a set of subkeys in a user registry hive (eg. ntuser.dat and usrclass.dat files) used by the Windows operating system to track user window viewing preferences. It does this by storing various Windows Explorer settings that relates to dimensions, settings, etc. This allows one to reopen the same folder at a later time with the settings from the previous time. Each user will have separate preferences for folders, and therefore, these settings are stored in the appropriate user hive.

Since the ShellBag subkeys store various metadata on how Windows Explorer items were arranged, and since they are recorded for each user, from a computer forensics standpoint, one can parse the data and pull out various pieces of information that relate to user interaction. When combined with other available computer artifacts, it could provide a more complete picture of what files were accessed or deleted by the user and from what storage device they were accessing (could be either an internal, external or network storage device). The ‘ShellNoRoam\BagXxx’ key(s) has data for local folders and the ‘Shell\BagXxx’ key(s) has data for the remote folders.

The registry subkeys that sbag evaluates include the following::

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
  • NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags
  • UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • UsrClass.DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • UsrClass.DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\Bags

On Vista and Windows 7, the UsrClass hive is new and is located in the C:\Users\<user>\AppData\Local\Microsoft\Windows directory.

How to use sbag

sbag is a console application, and thus, to use this tool on a live system, one will need to open the command prompt with administrator privileges first. One can display the menu options by typing in the executable name with no parameters. A screen shot of the menu is shown below.

While the menu shows a number of different options, the only required parameter to pass in is the user hive one wishes to extract shellbag artifacts from. The available options include: (a) annotating username and/or hostname to the output (version 0.23+), (b) specifying what type of format one wishes to put the output data in, (c) whether to extract data from cell slack space (version 0.24+), and (d) miscellaneous and date/time format options (version 0.29+).

The output options include: (a) the default output, where each record is on a separate line and each field is separated by the pipe character, (b) the SleuthKit body-file format and (c) the log2timeline CSV (comma separated value) format.

Permanent link to this article: