Shellbag Forensics

As a continuation of the "Introduction to Windows Forensics" series, this video introduces Shellbags. Have you ever customized the folder view settings within any folder in Windows Explorer? This could be anything from changing the sort order, to changing the view type from icons, to list view, to detail view, changing what columns are visible, or even changing the size of the window. If so, when you’ve returned to that folder at a later date, you’ve probably seen that the customizations remained. That information is stored within “Shellbags”.

Why do we care about folder view settings, and how could this possibly be of forensic interest? Watch this video and find out!

*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***

Introduction to Windows Forensics:
https://www.youtube.com/watch?v=VYROU-ZwZX8

Shellbags Forensics: Addressing a Misconception:
http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html

Forensic Analysis of Windows Shellbags:
https://www.magnetforensics.com/computer-forensics/forensic-analysis-of-windows-shellbags/

Windows ShellBag Parser:
https://www.tzworks.net/prototype_page.php?proto_id=14

Shellbags.py:
https://github.com/williballenthin/shellbags

ShellBags Explorer:
https://ericzimmerman.github.io/

Internet Evidence Finder (IEF):
https://www.magnetforensics.com/magnet-ief/

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Видео Shellbag Forensics канала 13Cubed