ArtiFast Forensics Artifacts Investigation - ShellBags

Shellbags are one of the most important artifacts for forensic investigators to examine during cyber forensic investigations on seized computers. But what exactly are shellbags, and why are they important? Shellbags are a valuable form of evidence . or we can say, "artifacts" that reveal which folders a user has accessed on the seized computer. Shellbags can track which folders a user has visited, along with specific timestamps. This information can be used to help reconstruct the entire timeline and story of the crime.

Where are Shellbags located?

Shellbags are stored in the Windows Registry, specifically in the following paths:

• For Windows XP and earlier:

• HKEY_USERS\<User SID>\Software\Microsoft\Windows\ShellNoRoam

• HKEY_USERS\<User SID>\Software\Microsoft\Windows\Shell

For Windows Vista and later (including Windows 10 and 11): 

• HKEY_USERS\<User SID>\Software\Microsoft\Windows\Shell\BagMRU
• HKEY_USERS\<User SID>\Software\Microsoft\Windows\Shell\Bags

There are many tools available to examine shellbag artifacts, such as ShellBags Explorer, Registry Explorer, and others. However, there's a particularly powerful tool that can analyze shellbags and many other types of forensic artifacts. This tool is called ArtiFast.

So, what is ArtiFast?

ArtiFast is a digital forensic tool designed to extract, parse, and present a wide range of artifacts from Windows, macOS, Android, and iOS systems. It provides investigators with an easy-to-use interface to quickly access data such as shellbags, browser history, recent files, USB activity, and more. ArtiFast automates the parsing process and presents the evidence in a clear, organized way, making it easier to reconstruct user activity during a forensic investigation.

How to Perform a Shellbags Investigation with ArtiFast :

First of all, you can download the Lite version of ArtiFast for free. However, keep in mind that the premium version offers additional features and functionalities that you might be interested in exploring.

• Download ArtiFast Lite: https://www.forensafe.com/free.html

• Try ArtiFast Suite: https://www.forensafe.com/try.html

After downloading and installing ArtiFast on your device, double-click on the ArtiFast icon. When the User Access Control prompt appears, click Yes.

You will then see the main screen. From there, click Create New Case to begin. Refer to the screenshot below for guidance:

After clicking the Case button, you will see the menu bar below. From there, click New Case to proceed.

After clicking "New Case," a window pops up asking for general information about the case that you want to create. This includes fields for:

• Case Name: A unique title or reference for the case.

• Description: A brief summary or details about the case.

• Case Number: An identifier or reference number for the case.

• Examiner Name: The name of the person or team conducting the investigation.

Once this information is entered, you can proceed with the case creation.

Next, click Next, and you will be prompted to import the image of the seized or suspected computer. The screen will look like the one below:

Next, click Next to proceed to the options menu. You can continue clicking Next to move through the available options. One of the important sections to look for is the Artifacts label.

In the Artifacts label of the Lite version, you will find a limited set of artifacts available for investigation, including:

• Windows Event Logs (EVT, EVTX)

• Shellbags

• ShimCache

• Skype

• Chrome

• USB Forensics

• User Information

Then, click Next, and in the Summary section, click Run to start collecting and parsing the information available in the memory image of the suspected or seized computer.

After clicking Run, you will see the screen below, indicating that ArtiFast has started the investigation and is collecting information from the image.

After the evidence collection and parsing process is complete, you will see the screen below. Simply click OK to begin your deep dive into the forensic investigation.

In the left sidebar, click the arrow next to OS to expand the menu. Then, select Shellbags from the list.

After selecting the Shellbags option, you will see the screen below. From here, you can begin your own investigation.