Source: Windows Incident Response Blog
In this article “What are “shellbags”?
To get an understanding of what “shellbags” are, I’d suggest that you start by reading Chad Tilbury’s excellent SANS Forensic blog post on the topic. I’m not going to try to steal Chad’s thunder…he does a great job of explaining what these artifacts are, so there’s really no sense in rehashing everything.
Discussion of this topic goes back well before Chad’s post, with this DFRWS 2009 paper. Before that, John McCash talked aboutShellBag Registry Forensics on the SANS Forensics blog. Even Microsoft mentions the keys in question in KB 813711.
Without going into a lot of detail, a user’s shell window preferences are maintained in the Registry, and the hive and keys being used to record these preferences will depend upon the version of the Windows operating system. Microsoft wants the user to have a great experience while using the operating system and applications, right? If a user opens up a window on the Desktop and repositions and resizes that window, how annoying would it be to shut the system down, and have to come back the next day and have to do it all over again? Because this information is recorded in the Registry, it is available to analysts who can parse and interpret the data. As such, “ShellBags” is sort of a colloquial term used to refer to a specific area of Registry analysis. “