Note: This post originally appeared on the SANS Forensics blog
As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes. Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.