As a continuation of the “Introduction to Windows Forensics” series, this video by Richard Davis introduces Shellbags. Have you ever customized the folder view settings within any folder in Windows Explorer? This could be anything from changing the sort order, to changing the view type from icons, to list view, to detail view, changing what columns are visible, or even changing the size of the window. If so, when you’ve returned to that folder at a later date, you’ve probably seen that the customizations remained. That information is stored within “Shellbags”.
Why do digital forensics examiners care about folder view settings, and how could this possibly be of forensic interest? Watch this video and find out!