Shell Bags

Description: Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.

Location: Windows Explorer:

• C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Desktop:

• C:\Users\<username>\NTUSER.DAT
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Notes: Stores information about which folders were most recently browsed by the user.

Analysis:
Coming Soon!