top of page

shellbags

If you're curious as to whether or not a forensic examination of a computer can determine if

folders were renamed or deleted, or even simply accessed on a device inquire about the possibility of analyzing shellbags. Shellbags are stored in a file named UserClass.dat in the Windows Registry . The timestamps and other data are encoded in hexadecimal - the numbering system employed by developers that uses 16 symbols (0-9 and A-F) rather than the standard decimal system.


Companies such as Privazer have applications which cannot only display last accessed and modified times for directories which are stored in shellbags but also erase that data as well.


Shellbag data is hard to remove. A new folder or zip file which is created in place of an old one with the same name will inherit its shellbag data. Opening a folder, copying a folder, renaming a folder, deleting a folder, or even simply selecting or right clicking on a folder will generate shellbag data.

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page