Course 21 - Digital Forensics: Windows Shellbags | Episode 4: Shellbag Forensics: Tracking USB Device History and Artifact Validation

from CyberCode Academy · host CyberCode Academy

In this lesson, you’ll learn about:USB Forensics Using Shellbag ArtifactsHow Windows Shellbags can be leveraged to reconstruct user interaction with removable media.Why Shellbags are valuable for determining whether files were copied to or from USB devices, even when the media is no longer connected.Initial Evidence Generation and CollectionCreating controlled forensic artifacts by moving test files onto a FAT16-formatted USB drive.Exporting relevant registry hives (such as USRCLASS.DAT) using FTK Imager.Loading these hives into Shellbag Explorer for structured analysis.Understanding File System Timestamp BehaviorRecognizing FAT16 limitations, where Last Accessed timestamps record only the date, not the time.Interpreting Created timestamps as the moment files or folders were moved onto the USB device.Understanding why Modified timestamps often remain unchanged during copy or move operations.Shellbag Data Merging and Ghost ArtifactsLearning how Windows may merge Shellbag data when a USB device is reformatted, renamed, or reused.Understanding how previously accessed folders can still appear in Shellbag Explorer due to reuse of the same drive letter or volume identifiers.Identifying “ghost” directories and avoiding false assumptions about current device contents.Handling Multiple Removable DevicesObserving how Windows assigns new drive letters (e.g., E:, then F:) when multiple USB devices are connected.Using Last Write Time values to infer when a USB device was inserted or when its folder view preferences were modified.Forensic Validation and ReportingEvaluating whether timestamps and folder structures logically align with expected user behavior.Understanding why investigators must not rely solely on automated tool output.Emphasizing manual validation to prevent misinterpretation caused by merged or residual Shellbag data.By the end of this episode, you’ll be able to analyze Shellbag artifacts related to USB devices, accurately interpret file system timestamps, and validate whether removable media activity supports or contradicts suspected data exfiltration or injection events.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy

NOW PLAYING

0:00 12:03

1×

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Share this episode

Similar Episodes

Solar Cooking with the My Solar Oven

May 12, 2026 ·35m

Luke 16

May 10, 2026 ·29m

Communications Vunerabilites

May 7, 2026 ·30m

2FA: The Simple Step That Stops Most Hacks

May 5, 2026 ·19m

Episode 252 | April 2026 | Part 2 American Family Physician

Apr 30, 2026 ·18m

The 2 Hour Marathon Barrier has Been Smashed

Apr 30, 2026 ·37m

Similar Podcasts

Lead with Faith: Empowering the Next Generation Jermaine Whiteside The Empowering Future Leaders Podcast – Presented by Anointed Connect Academy and hosted by Jermaine E. Whiteside, Doctoral Candidate in Christian Education, this podcast is your gateway to faith-driven leadership, lifelong learning, and real-world success strategies. Each episode blends inspiration with action, spotlighting career pathways, professional exam preparation, and innovative educational resources designed to equip the next generation of leaders.With candid conversations, expert insights, and transformative stories from students, educators, and industry leaders, we address the challenges facing at-risk and underserved communities while providing tangible tools to overcome them. Rooted in Christian values and a commitment to generational impact, this podcast empowers students, parents, and professionals to break barriers, build skills, and boldly pursue their God-given purpose. Reconnect Radio Tara Kemp, PhD Reconnect Radio is a show for mindful women seeking a more aligned life. Hosted by leading mental health expert, researcher, and coach Tara Kemp, PhD - each episode brings the latest evidence-based tools, practical tips, and personal stories to support you in building a healthy relationship with food, your body, and yourself. If you’re ready to do the inner work that will lead you to thrive in your most authentic and aligned life, hit the follow button and get ready to experience true healing and transformation.Follow Tara on Instagram @tarakemp_ : https://www.instagram.com/tarakemp_Join Reconnect’s FREE Private Facebook Community for Plant-based Women: https://www.facebook.com/groups/reconnectplantbasedwomenSign up for Reconnect Academy: https://www.reconnectcollective.com/reconnect-academyLearn about other Reconnect Collective programs: https://www.reconnectcollective.com Flintoff, Savage and the Ping Pong Guy BBC Radio 5 Live Andrew Flintoff, Robbie Savage and Matthew Syed discuss topical sports talking points.Three-time winners at the Radio Academy Awards: Best Podcast; Best New Show; Best Presenter (Andrew Flintoff)!Keep leaving your reviews and ratings, and don't forget you can get in touch using #FredSavSyed Prepping Academy Prepping Academy The Prepping Academy Radio Show is a live broadcast aimed at discussing various topics related to prepping, survival, and self-reliance, while also serving as a platform for preppers to unite. Our ultimate objective at The Prepping Academy Radio Show is to broaden your perspectives and inspire you to take action, as we strongly believe that preparedness is of the essence. We welcome preppers of all levels to join us on preppingacademy.com and PrepperNet.com.

Frequently Asked Questions

How long is this episode of CyberCode Academy?

This episode is 12 minutes long.

When was this CyberCode Academy episode published?

This episode was published on February 2, 2026.

What is this episode about?

Is there a transcript available for this episode?

Yes, a full transcript is available for this episode. You can read the complete transcript on the episode page.

Can I download this CyberCode Academy episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.

URL copied to clipboard!