reg-shellbags

Loads the "information on the folder accessed by the user from local, network, and removable storage devices" stored in the registry. You can use the loaded data to check the time information of when a user accessed a specific folder, track evidence of deletion/overwriting of existing folders, and track the MAC time for folder access through Explorer.

Syntax

reg-shellbags [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
FILE_PATH
Path to the registry file. If you provided the zippath option, input the file path in the ZIP file.
Optional Parameters
zippath=ZIPFILE_PATH
Path to the ZIP file.

Description

After running the reg-shellbags command, the output fields are as follows:

FieldTypeDescription
file_nameStringFile name
file_extStringFile extension
last_writtenDateLast written time
orderIntegerFile order by extension

Usage

  1. Retrieve by providing the file path.

    reg-shellbags /opt/logpresso/testdata/registry/test/NTUSER.DAT
    
  2. Retrieve when the zippath option is provided.

    reg-shellbags zippath=/opt/logpresso/testdata/registry.zip registry/test/NTUSER.DAT
    
  3. Sort the order by file extension.

    reg-shellbags /opt/logpresso/testdata/registry/test/NTUSER.DAT
    | sort file_ext, order