Home /
education Podcasts /
CyberCode Academy /
Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

EPISODE · Feb 1, 2026 · 13 MIN

Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

from CyberCode Academy · host CyberCode Academy

In this lesson, you’ll learn about:Practical ShellBag Forensics WorkflowHow ShellBags function as registry-based artifacts that record user folder interaction and view preferences.The full investigative cycle: evidence creation, acquisition, analysis, and validation.Registry Hive AcquisitionCreating controlled user activity (e.g., test folders) to deliberately generate ShellBag evidence.Exporting NTUSER.DAT from the root of the user profile and USRCLASS.DAT from the AppData directory using FTK Imager.Required system configuration steps, including enabling hidden files and protected operating system files, to access locked registry hives.Interpreting ShellBag TimestampsUnderstanding the forensic meaning of Last Write Time, which reflects either the first folder access or a change in folder view settings.Differentiating embedded MAC times (Created, Modified, Accessed) as historical snapshots captured when the ShellBag entry was first generated.Correctly handling UTC/GMT timestamps and applying local time offsets to ensure accurate forensic timelines.Validation Through Controlled ExperimentsDemonstrating that changing folder view options (such as switching to large icons) updates the Last Write Time without altering embedded MAC timestamps.Recognizing normal conditions where certain directories—such as system folders or hard-coded shortcuts—do not contain MAC times.Evidence Location AwarenessKnowing where user-specific ShellBag data resides within the Windows registry structure.Understanding how these locations support user attribution and timeline reconstruction during forensic investigations.By the end of the episode, you’ll be able to confidently extract ShellBag-related registry hives, correctly interpret their timestamps, and validate user activity findings through repeatable forensic testing.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy

NOW PLAYING

Course 21 - Digital Forensics: Windows Shellbags | Episode 3: ShellBag Forensics: Practical Validation and Timestamp Analysis

0:00 13:37

1×

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Share this episode

Similar Episodes

Episode 126: Stop Chasing Followers — Do This Instead

Apr 28, 2026 ·22m

Apr 19, 2026 ·43m

Apr 12, 2026 ·31m

Mar 22, 2026 ·33m

Mar 15, 2026 ·31m

Episode 125: What You Need To Do First Before Marketing Your New Business!

Mar 11, 2026 ·23m

Similar Podcasts

Simple Marketing Academy - by Fox Social Media Jill W. Fox & Tanner J. Fox Welcome to Simple Marketing Academy, where entrepreneurs & small business owners learn how to successfully market their businesses in a simple and inexpensive way, in order to reach more of their ideal customers & increase their sales! South West London Vineyard Church South West London Vineyard South West London Vineyard is a Christian church that meets in Putney. The church started with a small group of people in 1987 who wanted to see how following Jesus could make a difference, not only to their lives, but also to the lives of the people in the city around them.Sundays from 10:30-12pm at Ark, Putney, Academy, Pullman Gardens, London, SW15 3DG. You'd be really welcome. Leading With Purpose Nathan R Mitchell: Increase your self-awareness, lead to your full potential, & achieve more in less time with the Leading with Purpose - Empowering Talk Radio Podcast | Inspired by Tony Robbins, Simon Sinek, Daniel Pink, Seth Godin, Brendon Burchard, Bob INCREASE YOUR SELF-AWARENESS | LEAD TO YOUR POTENTIAL | ACHIEVE MORE IN LESS TIME: Let America's Leading Empowerment Coach, Founder of Clutch Consulting, LPX Academy, and Certified Member of The John Maxwell Team, Nathan R Mitchell, empower you to increase your self-awareness, lead to your full potential, and achieve more in less time. Drawing upon inspiration from Tony Robbins, Simon Sinek, Daniel Pink, Seth Godin, Bob Burg, John Maxwell, Brendon Burchard and others, on each episode of Leading With Purpose – Empowering Talk Radio, Nathan interviews top coaches, speakers, business owners, authors, and other experts to provide leaders and achievers with the information they need to get from where they are now to where they desire to be. Past guests have included Brian Smith - Founder of UGG Shoes, Lisa Nichols of Motivating the Masses, Lee Milteer, Dr. Josh Davis, Ben Gay III, Eric Lofholm, and many others. Beyond The Basics Health Academy Podcast Dr. Meaghan Kirschling Are you looking for practical, holistic, real-life solutions for healthier living? Join Dr. Meaghan Kirschling for real life education as she discusses and explores topics that affect everyday living. Dr. Meaghan brings in expert guests for a lively discussion about nutrition, supplements, holistic health, integrative medicine, and the latest research on a variety of topics. Join the Academy for the University of You!

URL copied to clipboard!