Windows 10 shell items are metadata files that store information about various objects in the Windows operating system, such as shortcuts, files, and folders. They can provide valuable information for forensic investigations, as they contain information about the location and usage of files and folders.
To perform shell item forensics on Windows 10, you can use forensic tools such as Autopsy, EnCase, or Belkasoft Evidence Center, which can extract and analyze shell item metadata. You can also manually analyze shell items by using the Windows Shellbags parser, which is a tool that can extract and interpret the binary data stored in shell item files.
The information contained in shell items can be used to reconstruct the file system structure and determine the usage patterns of files and folders. This information can be useful in various forensic scenarios, such as investigations of cybercrime, digital fraud, and intellectual property theft.
It is important to note that shell items can be deleted or modified, so it is important to ensure that the integrity of the data is preserved during the forensic analysis process. This can be achieved by making a forensic image of the storage device and using the proper chain of custody procedures.
There are three important sources of evidence in windows forensics which are known as shell items Which include shellbags, .lnk (shortcut) files, and jump lists. Shellbags store information about the view settings of a folder, such as the size and position of windows, and can provide information about how the folder has been used. .lnk files are shortcuts to files, folders, or applications, and contain information such as the target path, date and time stamps, and various other attributes. Jump lists are a feature in Windows 10 that store a list of recently opened files, folders, or applications for a particular program, and can provide information about the usage patterns of specific applications. In this post, we are going to discuss shell items and how to extract useful information from them.
Shellbags
Shellbags are a type of shell item in Windows 10 that store information about the view settings of a folder, such as the size and position of windows, the column widths and order in Details view, and the sort order. Shellbags are stored in the registry and can provide valuable information for forensic investigations, as they contain information about how a folder has been used, such as the date and time of access, the files that have been opened, and the order in which files have been opened.
Shellbags can be used to reconstruct the file system structure and determine the usage patterns of files and folders. This information can be useful in various forensic scenarios, such as investigations of cybercrime, digital fraud, and intellectual property theft.
It is important to note that shellbags can be modified or deleted, so it is important to ensure that the integrity of the data is preserved during the forensic analysis process. This can be achieved by making a forensic image of the storage device and using the proper chain of custody procedures.
from the other point of view, Shellbags are a collection of registry keys that give us information about a viewed folder. These are valuable information that helps us to answer some question and solve the case. For example, a company reports information leakage issues. So, investigating these registry keys gives us information about the recently viewed folder by which user and so on. In fact, Microsoft windows record information about user activities related to the explorer and desktops by using registry keys.
You will find evidence as follows:
The USRCLASS.DAT file is a user-specific file located in the “C:\Users<Username>\AppData\Local\Microsoft\Windows” directory in Windows 10. The USRCLASS.DAT file contains information about the settings and configuration of various applications and features, such as the desktop background, taskbar settings, and window size and position.
USRCLASS.DAT located on:
%appdata%\Local\Microsoft\windows\
Registry hives:
The “Bags” subkey under the “Software\Microsoft\Windows\Shell” key in the registry is where shellbag information is stored. Specifically, the information about the view settings of a folder, such as the size and position of windows, the column widths and order in Details view, and the sort order, are stored as binary data in this subkey.
USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\Bags
By analyzing the contents of the USRCLASS.DAT file and the “Bags” subkey, forensic investigators can gain insight into the usage patterns of files and folders, and can reconstruct the file system structure.
The “BagMRU” subkey under the “Software\Microsoft\Windows\Shell” key in the registry is related to shellbags and is used to store information about the most recently used (MRU) folders. Specifically, the “BagMRU” subkey contains a list of binary values, each representing a folder that has been accessed by the user.
USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRU
By analyzing the contents of the “BagMRU” subkey, forensic investigators can determine the most recently used folders, which can provide valuable information about the usage patterns of files and folders.
The “ShellNoRoam” subkey under the “Software\Microsoft\Windows\Shell” key in the registry is related to shellbags and is used to store information about the view settings of a folder for a specific user profile, but in a way that the information is not roaming, meaning it is not synced between different devices or profiles.
The “Bags” subkey under the “ShellNoRoam” key contains information about the view settings of a folder, such as the size and position of windows, the column widths and order in Details view, and the sort order, stored as binary data.
USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\ShellNoRoam\Bags
By analyzing the contents of the “Bags” subkey, forensic investigators can gain insight into the usage patterns of files and folders for a specific user profile.
The “BagMRU” subkey under the “ShellNoRoam” key in the registry is related to shellbags and is used to store information about the most recently used (MRU) folders for a specific user profile, but in a way that the information is not roaming, meaning it is not synced between different devices or profiles.
USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\ShellNoRoam\BagMRU
The “BagMRU” subkey contains a list of binary values, each representing a folder that has been accessed by the user. By analyzing the contents of the “BagMRU” subkey, forensic investigators can determine the most recently used folders for a specific user profile, which can provide valuable information about the usage patterns of files and folders.
The NTUSER.DAT file is a user-specific file located in the “C:\Users<Username>” directory in Windows 10. The NTUSER.DAT file contains information about the settings and configuration of various applications and features, such as desktop background, screen saver, taskbar settings, and control panel settings, for a specific user profile.
In forensic investigations, the contents of the NTUSER.DAT file can be analyzed to gain insight into the usage patterns and configuration of a user profile.
NTUSER.DAT located on:
%systemdrive%\Users\Default\
Registry hives:
The “Bags” subkey under the “Software\Microsoft\Windows\Shell” key in the registry is related to shellbags and is used to store information about the view settings of a folder for a specific user profile.
The “Bags” subkey contains information about the view settings of a folder, such as the size and position of windows, the column widths and order in Details view, and the sort order, stored as binary data.
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
The “BagMRU” subkey under the “Software\Microsoft\Windows\Shell” key in the registry is related to shellbags and is used to store information about the most recently used (MRU) folders for a specific user profile.
The “BagMRU” subkey contains a list of binary values, each representing a folder that has been accessed by the user. By analyzing the contents of the “BagMRU” subkey, forensic investigators can determine the most recently used folders for a specific user profile, which can provide valuable information about the usage patterns of files and folders.
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
The “Bags” subkey under the “Software\Microsoft\Windows\ShellNoRoam” key in the registry is related to shellbags and is used to store information about the view settings of a folder for a specific user profile, but in a way that the information is not roaming, meaning it is not synced between different devices or profiles.
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags
The “Bags” subkey contains information about the view settings of a folder, such as the size and position of windows, the column widths and order in Details view, and the sort order, stored as binary data.
The “BagMRU” subkey under the “Software\Microsoft\Windows\ShellNoRoam” key in the registry is related to shellbags and is used to store information about the most recently used (MRU) folders for a specific user profile, but in a way that the information is not roaming, meaning it is not synced between different devices or profiles.
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
The “BagMRU” subkey contains a list of binary values, each representing a folder that has been accessed by the user. By analyzing the contents of the “BagMRU” subkey, forensic investigators can determine the most recently used folders for a specific user profile, but limited to the device where the profile is used, which can provide valuable information about the usage patterns of files and folders.
To analyze this information, we use SBECmd.exe developed by Eric Zimmerman by adding USRCLASS.DAT and NTUSER.DAT as a path:
SBECmd.exe -f “E:Users\forensicnine\AppData\Local\Microsoft\Windows\UsrClass.dat” –csv c:\report\
SBECmd.exe -f “E:Users\forensicnine\NTUSER.dat” –csv c:\report\
Now You have some information about BagPath, Slot, NodeSlot, MRUPosition, AbsolutePath, ShellType, Value, ChildBags, CreatedOn, ModifiedOn, AccessedOn, LastWriteTime, MFTEntry, MFTSequenceNumber, ExtensionBlockCount, FirstInteracted, LastInteracted and Miscellaneous.
LNK
When a user double-clicks on a file, LNK files are usually generated automatically by the Windows operating system. Microsoft Windows uses these Shortcut Files(a.k.a, The Shell Link Binary File format) to link to various types of information in the graphical user interface such as files, network shares, search results, etc. Also, when the user opens a file from the search result in Explorer, Windows creates an LNK file. “.lnk” is the file extension for a Windows shortcut file, also known as a “link” or “shell link.” A Windows shortcut is a small file that points to another file or resource, such as a program, folder, or document. When a user clicks on a shortcut, the target file or resource is opened.
Windows generates many LNK files in different places to track the latest files opened by the user and store them in the %AppData%\Roaming\Microsoft\Windows\Recent
Generally, Each LNK file contains the filename, path, MAC, Network path, MAC Address, IP Address, Serial Number of the USB storage and the files executed, and other information.
Investigators use this artifact to retrieve metadata about recently opened files.
To Analyze .lnk files, you can use an open source tool named LECMD to parse lnk files developed by Eric Zimmerman. Here below you find how to use this tool:
LEcmd.exe -d “E:\Users\forensicnine\AppData\Roaming\Microsoft\Windows\Recent” –csv c:\report\
Now you have acquired useful information about SourceFile, SourceCreated, SourceModified, SourceAccessed, TargetCreated, TargetModified, TargetAccessed, FileSize, RelativePath,WorkingDirectory, FileAttributes, HeaderFlags, DriveType, VolumeSerialNumber, VolumeLabel, LocalPath, NetworkPath, CommonPath, Arguments, TargetIDAbsolutePath, TargetMFTEntryNumber, TargetMFTSequenceNumber, MachineID, MachineMACAddress, MACVendor, TrackerCreatedOn and ExtraBlocksPresent.
Jumplist
A jump list is a feature in Windows that provides quick access to frequently used files and programs. It is a list of recently used files and tasks that can be accessed from the Start menu or the taskbar for a particular program. The list is generated dynamically and updated automatically based on the user’s activity.
From windows 7 , Microsoft added a feature named jumplists that are lists of recently opened items, such as folders, files, or websites, organized by the program that a user uses to open them.
Before introducing Jump Lists, the only way for a digital forensics investigator to track a suspect’s application usage history was to access the Most Recently Used (MRU) and Most Frequently Used (MFU) Windows registry.
The records maintained by Jump Lists may provide a rich source of evidence about users’ historical activity to the forensic investigator. This feature has more capabilities to reveal evidence in Windows 10 due to its modified structure. Two directories store Jump Lists, AutoDestination, and CustomDestination, respectively.
Jump List records store in the AutoDest and CustDest files. The AutoDest is made up of the LNK (Shell Link) stream and the DestList data stream.
The records kept in CustDest are the same as those held in LNK data streams and AutoDest LNK data streams.
The records of Jump Lists are related to the MRU (Most Recently Used) and MFU (Most Frequently Used) items, the file name with path, the timestamps of MAC (Modified, Accessed, and Created), disk volume name, and the history of uploading and downloading files by web browsers.
AutoDest file is Microsoft CFB (Compound File Binary) format and is also called OLE file. AutoDest file, which contains SHLLINK stream and DestList stream, is created by the system program of Windows. Its filename consists of AppID and the filename extension with “automaticDestinations-ms”. Most of JumpLists records are stored in this file. As for CustDest file, its filename is AppID with “customDestinations-ms” as its filename extension and is built by applications with calling ICustomDestinationList API. The contents of CustDest file is maintained by applications. There are not many applications creating CustDest file.
Types of Jumplists
- AutomaticDestination
- CustomDestination
AutomaticDestination
AutomaticDestination is a feature in Windows that provides quick access to frequently used files and programs. It is a list of recently used files and tasks that can be accessed from the Start menu or the taskbar for a particular program. The list is generated dynamically and updated automatically based on the user’s activity.
In forensics, AutomaticDestination can provide valuable information about the user’s activity and behavior, such as the files and programs that were recently used, the order in which they were used, and the time they were used. This information can be useful in reconstructing the activities of a user and can provide insight into the user’s work flow and habits.
The analysis of AutomaticDestination requires specialized tools and techniques, as the information is stored in a binary format. There are various commercial and open-source tools available that can be used to extract and analyze the information stored in AutomaticDestination, such as JumpLister, ShellBags Analyzer, and Windows Timeline Explorer.
It is important to note that the information stored in AutomaticDestination is temporary and may be overwritten or lost, so it is important to act quickly and make a forensic image of the storage device as soon as possible.
Here, you can use a wonderful tool developed by Eric Zimmerman. Here below you find how to use this tool:
JLECmd.exe -d “E:\Users\forensicnine\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations” –csv
Now you have acquired useful information about AutomaticDestinations about SourceFile, SourceCreated, SourceModified, SourceAccessed, AppId, AppIdDescription, DestListVersion, LastUsedEntryNumber, MRU,EntryNumber, CreationTime, LastModified, Hostname, MacAddress, Path, InteractionCount, PinStatus, FileBirthDroid, FileDroid, VolumeBirthDroid, VolumeDroid, TargetCreated, TargetModified, TargetAccessed, FileSize, RelativePath, WorkingDirectory, FileAttributes, HeaderFlags, DriveType, VolumeSerialNumber, VolumeLabel, LocalPath, CommonPath, TargetIDAbsolutePath, TargetMFTEntryNumber, TargetMFTSequenceNumber, MachineID, MachineMACAddress, TrackerCreatedOn, ExtraBlocksPresent and Arguments.
Also you can use –html option to generate reports for both of Automatic and Custom Destinations.
CustomDestination
CustomDestination is a feature in Windows that provides quick access to user-defined files and programs. It is a list of frequently used files and tasks that can be added to the Start menu or the taskbar for a particular program by the user. The list is generated dynamically and updated based on the user’s activity.
JLECmd.exe -d “E:\Users\forensicnine\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations” –csv c:\report\
Now you have acquired useful information about CustomDestinations SourceFile, SourceCreated, SourceModified, SourceAccessed, AppId, AppIdDescription, EntryName, TargetCreated, TargetModified, TargetAccessed, FileSize, RelativePath, WorkingDirectory, FileAttributes, HeaderFlags, DriveType, VolumeSerialNumber, VolumeLabel, LocalPath, CommonPath, TargetIDAbsolutePath, TargetMFTEntryNumber, TargetMFTSequenceNumber, MachineID, MachineMACAddress, TrackerCreatedOn, ExtraBlocksPresent and Arguments.
Conclusion
Now that you know about shell items and gathered information about your case, a question may arise that how they are going to help us solve forensic cases.
To answer this question, we suggest you look at shellbag first, and examine any information related to your case challenge, for example, file path; then examine lnk generated reports and try to find relations between lnk file and shellbag in details, for example, MAC, Storage, etc. and finally, you can find
information about the executive files, run count, and arguments from jumplists and this is an art to prepare a good report by putting all these together.
