shellbags - Cross-platform shellbag parser

Property Value
Distribution CentOS 6
Repository CERT Forensics Tools i386
Package filename shellbags-0.5.5-1.el6.noarch.rpm
Package name shellbags
Package version 0.5.5
Package release 1.el6
Package architecture noarch
Package type rpm
Category Development/Libraries/Python
License Apache 2.0
Maintainer -
Download size 30.62 KB
Installed size 110.41 KB
Microsoft Windows uses a set of Registry keys known as "shellbags"
to maintain the size, view, icon, and position of a folder when using
Explorer. These keys are useful to a forensic investigator. Shellbags
persist information for directories even after the directory is removed,
which means that they can be used to enumerate past mounted volumes,
deleted files, and user actions. Yuandong Zhu, Pavel Gladyshev, and Joshua
James provided a nice overview of the investigative value of shellbags in
"Using shellbag information to reconstruct user activities" [pdf]; however,
they do not describe how to programmatically access the data. Allan S Hay
went into greater detail in his December, 2004 document "MiTeC Registry
Analyser" [pdf], although he also leaves out a thorough analysis of the
format. TZWorks provides an effective closed-source shellbag parser sbag,
but does not explain its algorithm. Yogesh Khatri first described the basic
structure of Windows Shell Items in his blog post for 42 LLC entitled Shell BAG
Format Analysis. Joachim Metz went on to described the binary format of the
Windows Shell Item structures with great detail in Windows Shell Item format
specification [pdf]. This page documents an approach to parsing shellbags in
detail, as well as introduces an open-source, cross-platform shellbag parser.


Package Version Architecture Repository
shellbags-0.5.5-1.el6.noarch.rpm 0.5.5 noarch CERT Forensics Tools
shellbags - - -


Name Value
/usr/bin/python2 -
python(abi) = 2.6
python-enum -
python-registry -
python2 -


Name Value
shellbags = 0.5.5-1.el6


Type URL
Binary Package shellbags-0.5.5-1.el6.noarch.rpm
Source Package shellbags-0.5.5-1.el6.src.rpm

Install Howto

  1. Add EPEL and RPMForge repositories
  2. Download cert-forensics-tools-release-el6 rpm:
  3. Install cert-forensics-tools-release-el6 rpm:
    # rpm -Uvh cert-forensics-tools-release*rpm
  4. Install shellbags rpm package:
    # yum --enablerepo=forensics install shellbags




2013-12-20 - Willi Ballenthin <> 0.5.5-1
* Release 0.5.5-1
Verson 0.5.5
2012-01-04 - Willi Ballenthin <> 0.5.1-2
* Release 0.5.1-2
Initial release

See Also

Package Description
silk-analysis-3.19.0-1.el6.i686.rpm SiLK Toolset: The Analysis Suite
silk-common-3.19.0-1.el6.i686.rpm SiLK Toolset: Common Libraries and Configuration Files
silk-devel-3.19.0-1.el6.i686.rpm The SiLK Toolset development files
silk-flowcap-3.19.0-1.el6.i686.rpm SiLK Toolset: Remote Flow Collection
silk-ipa-1.0-1.el6.noarch.rpm silk-ipa - SiLK with the IPA Suite and PostgreSQL
silk-ipset-devel-3.18.0-1.el6.i686.rpm The SiLK IPset development files
silk-ipset-lib-3.18.0-1.el6.i686.rpm The SiLK IPset library
silk-ipset-tools-3.18.0-1.el6.i686.rpm The SiLK IPset command line applications
silk-rwflowappend-3.19.0-1.el6.i686.rpm SiLK Toolset: Remote Data Storage Appending Daemon
silk-rwflowpack-3.19.0-1.el6.i686.rpm SiLK Toolset: The Packer
silk-rwpollexec-3.19.0-1.el6.i686.rpm SiLK Toolset: Batch Command Executor
silk-rwreceiver-3.19.0-1.el6.i686.rpm SiLK Toolset: File Transfer Receiver
silk-rwsender-3.19.0-1.el6.i686.rpm SiLK Toolset: File Transfer Sender
sleuthkit-4.6.7-1.1.el6.i686.rpm The Sleuth Kit (TSK)
sleuthkit-devel-4.6.7-1.1.el6.i686.rpm Development files for sleuthkit