LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
    • AIR's User Settings
      • General
      • Assets
      • Security
      • Features
      • Evidence Repositories
      • Policies
      • User Management
        • User Groups
        • User Roles
      • Backup
      • Investigation Hub Disk Usage
      • Danger Zone
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Key Components of a Shellbag Entry
  • Relevance to DFIR
  • FAQ: Is the 'Cached Accessed' field a native Microsoft label?

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. DRONE
  4. Analyzers
  5. Windows Analyzers

Shellbag Data Fields

Shellbags are Windows registry artifacts that track and record user interactions with the file system via Windows Explorer. These entries provide visibility into the history of folder browsing activity and are an essential source of evidence in digital forensics and incident response (DFIR) investigations.

ShellBags are often used to identify folder access patterns, deleted directories, and user behavior—even when certain data has been removed or is no longer accessible via traditional methods. Binalyze AIR supports remote collection and presentation of Shellbag data as part of its broader Windows evidence acquisition capabilities.


Key Components of a Shellbag Entry

Each Shellbag entry contains several attributes. Below is a breakdown of these attributes, how they are labeled in AIR, and what they reveal during forensic analysis:

Field

Description

key_path

The registry path where the Shellbag entry is stored. Indicates the user or system scope.

value

The raw content of the Shellbag entry within the registry.

cached_modified

Cached timestamp when the folder was last modified. Used to infer changes.

cached_accessed

Cached timestamp for last access to the folder. Useful for establishing activity windows.

cached_created

Cached creation date of the folder, captured by the operating system.

path

Full resolved path of the file or folder. Reflects the actual or historical structure.

slot_modified_time

Timestamp when the Shellbag slot itself was last modified. Indicates registry update time.

mft_entry

Entry number in the NTFS Master File Table (MFT). Helps link artifacts to disk-level data.

mft_sequence

Sequence number for the MFT entry. Helps detect file deletion and reuse.

modified

Standard NTFS metadata for last modification time of the folder.

accessed

Last access time recorded in NTFS metadata.

created

Creation timestamp recorded by the file system.


Relevance to DFIR

Shellbag analysis plays a key role in:

  • User activity reconstruction

  • Detecting folder creation and deletion

  • Timeline correlation with other artifacts

  • Understanding attacker movement or staging activity

By leveraging Shellbag entries, DFIR professionals can fill gaps that might exist in other logging systems or file system data, particularly in post-breach or post-removal scenarios.


FAQ: Is the 'Cached Accessed' field a native Microsoft label?

Not quite — and this is a subtle but important distinction in forensics.

The field Cached Accessed is not an official Microsoft-named field, but rather a derived label commonly used by forensic tools (including Binalyze AIR) to describe data extracted from binary structures within Shellbag entries.

What's actually happening:

  • Shellbags store binary shell item data that may contain timestamps such as:

    • Created

    • Modified

    • Accessed

  • These timestamps are embedded in various shell item structures, such as FILE_ENTRY, FOLDER_ENTRY, or ZIP_CONTENTS records — and not explicitly named by Microsoft.

Forensic tool interpretation:

Tools like Binalyze AIR, Shellbags Explorer, and others parse these raw structures and label the extracted timestamps with friendly terms like:

  • Cached Created

  • Cached Modified

  • Cached Accessed

The “cached” prefix is used because these timestamps are snapshots, cached at the time the folder was last browsed, not live file system metadata.

🔍 Example: If a user browses C:\Users\Bob\Downloads, the Shellbag entry may include a FILE_ENTRY structure with a timestamp that gets interpreted and labeled as "Cached Accessed", even though Microsoft never calls it that.

Summary:

  • ✅ Used by AIR: Yes

  • ❌ Defined by Microsoft: No (it's a parsed artifact, not a registry value)

  • 🔐 Still forensically sound: Yes — it reflects real metadata from the shell item, just given a descriptive label

PreviousPrefetch AnalyzerNextLinux Analyzers

Last updated 1 month ago

Was this helpful?