I've been slowly working through the 13cubed archive and this is excellent!! I've read a couple of times (including on Magnet Forensics blog) that Shellbags are located within HKCR when clearly you are showing them within HKCU here... I'm confused!! 🤔
This article will help: www.lifewire.com/hkey-classes-root-2625899 Quoting from it: "However, because the HKEY_CLASSES_ROOT hive is actually combined data found in both the HKEY_LOCAL_MACHINE hive (HKEY_LOCAL_MACHINE\Software\Classes) and the HKEY_CURRENT_USER hive (HKEY_CURRENT_USER\Software\Classes), it also contains user-specific information as well. Even though that's the case, the HKEY_CLASSES_ROOT is still able to be browsed by any and all users." So, UsrClass.dat (one of the locations containing Shellbags [in addition to NTUSER.DAT]) plugs in to HKCU\Software\Classes, and HKCU\Software\Classes is part of HKCR.
Thanks again, that's really helpful. One other thing I wanted to know was whether it was possible to use Shellbag Explorer to examine a disk image? I tried to load offline hives from artefacts extracted from FTK imager but with no success.
They should still persist after the upgrade/feature update, but the timestamps may be affected. See this: df-stream.com/2019/10/shellbags-windows-10-feature-updates/
Hello. I liked the content a lot however I'm not a native english speaker and I'm still looking for an exact definition of a shell bag. Is a shell bag: 1 - a subkey. 2 - The values stored in a subkey. 3 - A subkey and its values. 4 - A subkey, its values and its children keys? That would help me a lot.
I really enjoyed this video. Thanks for sharing. I wish I had more time in the day to watch all of your videos and develop my forensic skills.
14:07 minutes full of learnings - thanks, great.
@13Cubed the command line freak! Another great video sir! Thank you! Theae are helping me prepare for my interviews!
great video introducing shell bags
Great video! Good explanations and examples given. Keep it up. This is great content!
I've been slowly working through the 13cubed archive and this is excellent!! I've read a couple of times (including on Magnet Forensics blog) that Shellbags are located within HKCR when clearly you are showing them within HKCU here... I'm confused!! 🤔
This article will help: www.lifewire.com/hkey-classes-root-2625899
Quoting from it: "However, because the HKEY_CLASSES_ROOT hive is actually combined data found in both the HKEY_LOCAL_MACHINE hive (HKEY_LOCAL_MACHINE\Software\Classes) and the HKEY_CURRENT_USER hive (HKEY_CURRENT_USER\Software\Classes), it also contains user-specific information as well. Even though that's the case, the HKEY_CLASSES_ROOT is still able to be browsed by any and all users."
So, UsrClass.dat (one of the locations containing Shellbags [in addition to NTUSER.DAT]) plugs in to HKCU\Software\Classes, and HKCU\Software\Classes is part of HKCR.
Thanks again, that's really helpful. One other thing I wanted to know was whether it was possible to use Shellbag Explorer to examine a disk image? I tried to load offline hives from artefacts extracted from FTK imager but with no success.
Your channel is amazing.
Well done! I sense some Rob Lee knowledge influence :)
how to disable shellbags recording logs?
This vid was so helpful!
What if I create new windows or upgrade current window version are shellbags will be exist for old windows
They should still persist after the upgrade/feature update, but the timestamps may be affected. See this: df-stream.com/2019/10/shellbags-windows-10-feature-updates/
Hello. I liked the content a lot however I'm not a native english speaker and I'm still looking for an exact definition of a shell bag. Is a shell bag:
1 - a subkey.
2 - The values stored in a subkey.
3 - A subkey and its values.
4 - A subkey, its values and its children keys?
That would help me a lot.
@13cubed Regarding the shellbag explorer demo, how long will the USB data be stored in that shellbag? Will it not be overwritten over time?
They can be removed by privacy cleaners, or manually, but otherwise those bag entries are persistent and do not expire or become overwritten.
please consider about font size of presentation.
All later videos have much easier to read fonts. This was recorded quite a while ago.
Excellent video. Thanks a lot.
could you please share the software you use to prepare and edit your videos ! thanks a lot for the awesome tutorial as usual!
Thanks - ScreenFlow and Final Cut Pro X
13Cubed i really appreciate your efforts you do and making this knowledge easily accessible to others!
Lmao that introduction 😂
I know a few shellbags