Visible to the public Digital Forensics Analysis of Windows 11 Shellbag with Comparative Tools

TitleDigital Forensics Analysis of Windows 11 Shellbag with Comparative Tools
Publication TypeConference Paper
Year of Publication2022
AuthorsNeyaz, Ashar, Shashidhar, Narasimha, Varol, Cihan, Rasheed, Amar
Conference Name2022 10th International Symposium on Digital Forensics and Security (ISDFS)
Date Publishedjun
Keywordsartifacts, Behavioral sciences, composability, digital forensics, digital forensics investigations, forensics tools, Freeware, Metrics, Open Source Software, operating system, Operating systems, pubcrawl, Resiliency, security, Shellbag, Sorting, Windows Operating System Security, Windows Registry
AbstractOperating systems have various components that produce artifacts. These artifacts are the outcome of a user's interaction with an application or program and the operating system's logging capabilities. Thus, these artifacts have great importance in digital forensics investigations. For example, these artifacts can be utilized in a court of law to prove the existence of compromising computer system behaviors. One such component of the Microsoft Windows operating system is Shellbag, which is an enticing source of digital evidence of high forensics interest. The presence of a Shellbag entry means a specific user has visited a particular folder and done some customizations such as accessing, sorting, resizing the window, etc. In this work, we forensically analyze Shellbag as we talk about its purpose, types, and specificity with the latest version of the Windows 11 operating system and uncover the registry hives that contain Shellbag customization information. We also conduct in-depth forensics examinations on Shellbag entries using three tools of three different types, i.e., open-source, freeware, and proprietary tools. Lastly, we compared the capabilities of tools utilized in Shellbag forensics investigations.
DOI10.1109/ISDFS55398.2022.9800788
Citation Keyneyaz_digital_2022