Microsoft Windows records the view preferences of folders and Desktop. Therefore, when the folder/Desktop is visited again, Windows can remember the location of the folder, view and positions of items. Microsoft Windows store the view preferences in the registry keys and values known as “ShellBags”. ShellBag information is crucial when forensicators.
ShellBag information is crucial when forensicators need to know when and which folder a user accessed. For instance, when a company suspects an employee leaked a confidential document stored on the network, that employee’s computer may have the ShellBag information that demonstrates the folder containing that document was accessed shortly before the document was leaked.
Furthermore, ShellBags may also show the folders or servers that employee should notaccess. Those findings are critical to the investigation. Or, when a company suspects an employee maliciously deleted the important fileson the network, ShellBag information may demonstrate the employee’s computer accessed the folder before the incident happened.
