Buying for a Team? Gift This Course
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Windows Shellbags to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Windows Shellbags

Computer forensic evidence to help prove file use & knowledge
4.2 (21 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
233 students enrolled
Last updated 2/2015
30-Day Money-Back Guarantee
  • 1 hour on-demand video
  • 1 Article
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Have a coupon?
What Will I Learn?
Extract and analyze windows shellbag records to help prove file use and knowledge
Use freely available forensic tools to conduct shellbag analysis
Construct validation exercises to test how shellbags behave depending on media type
Construct validation exercises to test how shellbags behave according to different types of user activity
Confidently explain what Windows shellbag evidence is to non-technical audiences
View Curriculum
  • You need a PC running Win7 or WIn8 with admin rights
  • All forensic tools used are freely available, download links are included
  • Your test system should contain no critical data

Welcome to the Surviving Digital Forensics series. This series is focused on helping you become a better computer forensic examiner by teaching core computer forensic skills - all in about one hour. In this class examine how to use Windows Shellbag records to help prove file use and knowledge. Shellbag records are created by certain user activity and can be used to show where a user has navigated to on a computer system and when they did so. Very powerful evidence!

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the issue at hand. Then we set up our forensic systems and off we go. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or customize to meet your needs. You will learn how you can use freely available forensic tools, all GUI based, to extract and analyze Windows Shellbag evidence.

Class Outline

1. Introduction and Welcome to the SDF series

2. Getting the most out of the class

3. Windows Shellbags - an overview

5. Shellbag Deep Dive

6. Setting up your forensic system

7. Validation practical 01 - local system activity

8. Validation practical 02 - attached USBs

9. Validation practical 03 - networked drives

10. Student Practical

11. Student Quiz

12. Reporting options

13. Review

14. Conclusion & thank you

A PC running Win7 or Win8 is required for this course. You need admin rights to the system. The system itself should be a test system containing no critical data. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.

Who is the target audience?
  • Computer Forensic Analysts
  • IT Professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
Expand All 19 Lectures Collapse All 19 Lectures 01:09:41
2 Lectures 12:21

Hello and welcome to the SDF series!

Preview 07:08

These are just a few tips to maximize your learning experience.

Preview 05:13
Understanding Windows Shellbags
2 Lectures 16:54

Before we begin the practicals it is important to understand Windows Shellbags and what types of user activity affect it as a forensic artifact.

Windows Shellbags - An Overview

Let's look at one of the registry hives we are working with. You will appreciate the automated tools we will be using after this.

Shellbag Deep Dive

Shellbag Quiz
2 questions
Getting Setup for the Practicals
2 Lectures 02:53

Let's get our forensic system setup for the practicals.

Setting up Forensic System

I put together a tutorial on how to load your local drive into FTK Imager for those that have never used this program before.

Loading your local drive in FTK Imager
Shellbag Validation Practicals 01 - Local System Activity
4 Lectures 14:19

In this practical we go over all the set up steps. I will not repeat these for each practical, rather, I will just discuss and go over notable findings. However, here I go over everything from beginning to end so you may use it as a reference.

Validation on Local System: Practical 01-A

Let's take a look at our first Shellbag findings.

Validation on Local System: Practical 01-A Results

Next we will expand this practical by making some view pane changes and seeing how this affects the shell bag record.

Validation on Local System: Practical 01-B

You may have noticed some Shellbag records have no created, modified or access times. This issue is clarified in this lesson.

Why No Mac Times?

Shellbag Quiz
1 question
Shellbag Validation Practicals 02 - Attached USBs
4 Lectures 12:08

First, let's get set up for this practical. Make sure your USB is wiped and ready for use before you begin.

Attached USBs - Practical 02 - A

Attached USBs - Practical 02 -B

In this practical we uncover some very interesting conflicting data about how Shellbag records may not be so accurate.

Attached USBs - Practical 02 - C

This last practical rounds out our USB exercises and gives us further insight to how Shellbag records behave.

Attached USBs - Practical 02 - D
Shellbags Validation Practical 03 - Networked Drives
1 Lecture 04:35

Let's take a look at Shellbag records for networked drives.

Networked Drives - Practical 03
Shellbag Student Practical
1 Lecture 00:05

Now it is your turn to examine Shellbags on your own.

Shellbag Student Practical

Shellbag Quiz
4 questions
3 Lectures 06:25

Shellbags Explorer has a few reporting options worth mentioning and they are discussed here.

Reporting Options

Let's review what we have learned.


Thanks for joining me in another edition of SDF. Hope to see you again!

Check out other classes of the SDF series at

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at

Check out our Youtube channel

Conclusion & Thank You!
About the Instructor
4.1 Average rating
288 Reviews
2,245 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Report Abuse