Shellbag Data Fields

Shellbags are Windows registry artifacts that track and record user interactions with the file system via Windows Explorer. These entries provide visibility into the history of folder browsing activity and are an essential source of evidence in digital forensics and incident response (DFIR) investigations.

ShellBags are often used to identify folder access patterns, deleted directories, and user behavior—even when certain data has been removed or is no longer accessible via traditional methods. Binalyze AIR supports remote collection and presentation of Shellbag data as part of its broader Windows evidence acquisition capabilities.


Key Components of a Shellbag Entry

Each Shellbag entry contains several attributes. Below is a breakdown of these attributes, how they are labeled in AIR, and what they reveal during forensic analysis:

Field

Description

key_path

The registry path where the Shellbag entry is stored. Indicates the user or system scope.

value

The raw content of the Shellbag entry within the registry.

cached_modified

Cached timestamp when the folder was last modified. Used to infer changes.

cached_accessed

Cached timestamp for last access to the folder. Useful for establishing activity windows.

cached_created

Cached creation date of the folder, captured by the operating system.

path

Full resolved path of the file or folder. Reflects the actual or historical structure.

slot_modified_time

Timestamp when the Shellbag slot itself was last modified. Indicates registry update time.

mft_entry

Entry number in the NTFS Master File Table (MFT). Helps link artifacts to disk-level data.

mft_sequence

Sequence number for the MFT entry. Helps detect file deletion and reuse.

modified

Standard NTFS metadata for last modification time of the folder.

accessed

Last access time recorded in NTFS metadata.

created

Creation timestamp recorded by the file system.


Relevance to DFIR

Shellbag analysis plays a key role in:

  • User activity reconstruction

  • Detecting folder creation and deletion

  • Timeline correlation with other artifacts

  • Understanding attacker movement or staging activity

By leveraging Shellbag entries, DFIR professionals can fill gaps that might exist in other logging systems or file system data, particularly in post-breach or post-removal scenarios.


FAQ: Is the 'Cached Accessed' field a native Microsoft label?

Not quite — and this is a subtle but important distinction in forensics.

The field Cached Accessed is not an official Microsoft-named field, but rather a derived label commonly used by forensic tools (including Binalyze AIR) to describe data extracted from binary structures within Shellbag entries.

What's actually happening:

  • Shellbags store binary shell item data that may contain timestamps such as:

    • Created

    • Modified

    • Accessed

  • These timestamps are embedded in various shell item structures, such as FILE_ENTRY, FOLDER_ENTRY, or ZIP_CONTENTS records — and not explicitly named by Microsoft.

Forensic tool interpretation:

Tools like Binalyze AIR, Shellbags Explorer, and others parse these raw structures and label the extracted timestamps with friendly terms like:

  • Cached Created

  • Cached Modified

  • Cached Accessed

The “cached” prefix is used because these timestamps are snapshots, cached at the time the folder was last browsed, not live file system metadata.

🔍 Example: If a user browses C:\Users\Bob\Downloads, the Shellbag entry may include a FILE_ENTRY structure with a timestamp that gets interpreted and labeled as "Cached Accessed", even though Microsoft never calls it that.

Summary:

  • Used by AIR: Yes

  • Defined by Microsoft: No (it's a parsed artifact, not a registry value)

  • 🔐 Still forensically sound: Yes — it reflects real metadata from the shell item, just given a descriptive label

Last updated

Was this helpful?