Read More from SANS Forensic BlogApparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.
Is anybody drooling yet?
Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect’s USB stick that you didn’t get looked like? Read on!
The data is stored as binary blobs under the following registry keys:
- HKCU\Software\Microsoft\Windows\Shell\BagMRU
- HKCU\Software\Microsoft\Windows\Shell\Bags
- HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
- HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
Saturday, November 1, 2008
Shellbags Registry Forensics
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment