Shellbag Data Fields
Shellbags are Windows registry artifacts that track and record user interactions with the file system via Windows Explorer. These entries provide visibility into the history of folder browsing activity and are an essential source of evidence in digital forensics and incident response (DFIR) investigations.
ShellBags are often used to identify folder access patterns, deleted directories, and user behavior—even when certain data has been removed or is no longer accessible via traditional methods. Binalyze AIR supports remote collection and presentation of Shellbag data as part of its broader Windows evidence acquisition capabilities.
Key Components of a Shellbag Entry
Each Shellbag entry contains several attributes. Below is a breakdown of these attributes, how they are labeled in AIR, and what they reveal during forensic analysis:
Field
Description
key_path
The registry path where the Shellbag entry is stored. Indicates the user or system scope.
value
The raw content of the Shellbag entry within the registry.
cached_modified
Cached timestamp when the folder was last modified. Used to infer changes.
cached_accessed
Cached timestamp for last access to the folder. Useful for establishing activity windows.
cached_created
Cached creation date of the folder, captured by the operating system.
path
Full resolved path of the file or folder. Reflects the actual or historical structure.
slot_modified_time
Timestamp when the Shellbag slot itself was last modified. Indicates registry update time.
mft_entry
Entry number in the NTFS Master File Table (MFT). Helps link artifacts to disk-level data.
mft_sequence
Sequence number for the MFT entry. Helps detect file deletion and reuse.
modified
Standard NTFS metadata for last modification time of the folder.
accessed
Last access time recorded in NTFS metadata.
created
Creation timestamp recorded by the file system.
Relevance to DFIR
Shellbag analysis plays a key role in:
User activity reconstruction
Detecting folder creation and deletion
Timeline correlation with other artifacts
Understanding attacker movement or staging activity
By leveraging Shellbag entries, DFIR professionals can fill gaps that might exist in other logging systems or file system data, particularly in post-breach or post-removal scenarios.
FAQ: Is the 'Cached Accessed' field a native Microsoft label?
Not quite — and this is a subtle but important distinction in forensics.
The field Cached Accessed is not an official Microsoft-named field, but rather a derived label commonly used by forensic tools (including Binalyze AIR) to describe data extracted from binary structures within Shellbag entries.
What's actually happening:
Shellbags store binary shell item data that may contain timestamps such as:
Created
Modified
Accessed
These timestamps are embedded in various shell item structures, such as
FILE_ENTRY,FOLDER_ENTRY, orZIP_CONTENTSrecords — and not explicitly named by Microsoft.
Forensic tool interpretation:
Tools like Binalyze AIR, Shellbags Explorer, and others parse these raw structures and label the extracted timestamps with friendly terms like:
Cached CreatedCached ModifiedCached Accessed
The “cached” prefix is used because these timestamps are snapshots, cached at the time the folder was last browsed, not live file system metadata.
🔍 Example: If a user browses
C:\Users\Bob\Downloads, the Shellbag entry may include aFILE_ENTRYstructure with a timestamp that gets interpreted and labeled as "Cached Accessed", even though Microsoft never calls it that.
Summary:
✅ Used by AIR: Yes
❌ Defined by Microsoft: No (it's a parsed artifact, not a registry value)
🔐 Still forensically sound: Yes — it reflects real metadata from the shell item, just given a descriptive label
Last updated
Was this helpful?