ShellBag_Hunter: A PowerShell Tool For Forensic Analysis Of Windows ShellBags

Windows ShellBags are registry artifacts that record folder access history, even after deletion. These artifacts are a forensic treasure trove, hiding in plain sight. ShellBag_Hunter is a PowerShell tool designed to extract, decode, and visualize this data, revealing user activity patterns that are invisible to standard analysis.

Key Features of ShellBag_Hunter:

Decoding Complex Binary Registry Structures: Extracts data from multiple registry locations.
Identifying Deleted Folders: Reveals evidence of previously accessed folders that have been deleted.
Timestamp Analysis: Extracts and analyzes timestamps to build activity timelines.
Multi-User Support: Analyzes data across all user profiles on a system.
Windows 11 Compatibility: Special handling for Windows 11’s different artifact storage.
Flexible Filtering: Filters data by date range, path, or recency.
Comprehensive Reporting: Generates HTML reports with interactive visualizations.
Export Options: Exports findings in CSV and JSON formats for further analysis.

You Should Know:

Here are some practical commands and codes related to ShellBag_Hunter and Windows forensics:

1. Extracting ShellBags with PowerShell:


<h1>Run ShellBag_Hunter to extract ShellBags</h1>

.\ShellBag_Hunter.ps1 -OutputFormat HTML -ReportPath C:\Reports

2. Decoding Registry Artifacts:


<h1>Decode ShellBags from the registry</h1>

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Shell\Bags" | Format-Table -AutoSize

3. Filtering by Date Range:


<h1>Filter ShellBags by date range</h1>

.\ShellBag_Hunter.ps1 -StartDate "2023-01-01" -EndDate "2023-12-31"

4. Exporting to CSV:


<h1>Export ShellBag data to CSV</h1>

.\ShellBag_Hunter.ps1 -OutputFormat CSV -OutputPath C:\Exports\ShellBags.csv

5. Analyzing Timestamps:


<h1>Analyze timestamps from ShellBags</h1>

$shellbags = Import-Csv -Path C:\Exports\ShellBags.csv
$shellbags | Sort-Object -Property LastAccessTime

6. Windows Command for Registry Analysis:

reg query "HKCU\Software\Microsoft\Windows\Shell\Bags" /s

Linux Command for Forensic Analysis (if analyzing a Windows image on Linux):
```
</li>
</ol>

<h1>Use RegRipper on a Windows registry hive</h1>

rip -r /mnt/windows/Windows/System32/config/SOFTWARE -p shellbags
```
8. Visualizing Data with Python:
```
import pandas as pd
import matplotlib.pyplot as plt

<h1>Load ShellBag data</h1>

data = pd.read_csv("ShellBags.csv")
data['LastAccessTime'] = pd.to_datetime(data['LastAccessTime'])
data.plot(x='LastAccessTime', y='FolderPath', kind='scatter')
plt.show()
```
What Undercode Say:

ShellBag_Hunter is an essential tool for forensic analysts and defenders, providing deep insights into user activity on Windows systems. By leveraging PowerShell and registry analysis, it simplifies the process of uncovering hidden artifacts, even after deletion. The ability to filter, visualize, and export data makes it a versatile tool for both quick investigations and detailed forensic analysis. Whether you’re dealing with Windows 10 or Windows 11, ShellBag_Hunter ensures you can reconstruct user activity with precision.

Relevant URLs:
References:

Reported By: Michaelahaag Final – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
Telegram

Listen to this Post

Key Features of ShellBag_Hunter:

You Should Know:

1. Extracting ShellBags with PowerShell:

2. Decoding Registry Artifacts:

3. Filtering by Date Range:

4. Exporting to CSV:

5. Analyzing Timestamps:

6. Windows Command for Registry Analysis:

8. Visualizing Data with Python:

What Undercode Say:

Relevant URLs:

References:

Join Our Cyber World:

Related Posts: