top of page


If you're curious as to whether or not a forensic examination of a computer can determine if

folders were renamed or deleted, or even simply accessed on a device inquire about the possibility of analyzing shellbags. Shellbags are stored in a file named UserClass.dat in the Windows Registry . The timestamps and other data are encoded in hexadecimal - the numbering system employed by developers that uses 16 symbols (0-9 and A-F) rather than the standard decimal system.

Companies such as Privazer have applications which cannot only display last accessed and modified times for directories which are stored in shellbags but also erase that data as well.

Shellbag data is hard to remove. A new folder or zip file which is created in place of an old one with the same name will inherit its shellbag data. Opening a folder, copying a folder, renaming a folder, deleting a folder, or even simply selecting or right clicking on a folder will generate shellbag data.


bottom of page