Nope, I’m not talking about a bag of sea shells.
When you hear someone utter the phrase “Windows Shellbags“, he or she is alluding to the kinetic world of digital forensics.
Most people don’t realize that Microsoft Windows covertly records the following user data about Windows Explorer folders:
- Access time
- Creation time
- Creation date
Microsoft’s rationale is that it needs a way to remember user activities so the next time that user opens the folder, the dimensions instantly return as the user left it.
It’s a matter of convenience.
Now, initially it might appear that these “preference records” are merely a specious privacy issue. I mean, it isn’t immediately obvious why such data is valuable until you realize that it is both persistent and pervasive.
In other words, it doesn’t matter if you created a folder once and then left it dormant for years or even deleted it from your system.
The folder leaves an indelible mark on the system and therefore can serve as immutable evidence that you, or someone using your Windows account, accessed a specific folder or modified it.
Furthermore, the records aren’t limited to local folders. For example, any network drives, removable drives and even encrypted volumes leave vestiges of activity in the registry.
Like a stubborn stain that refuses to go away, all your activities stay
The problem is exacerbated since the audit trail starts working the instant the user views the folder – so it can be used to make a cogent case by law enforcement that the user actually accessed the folder. That is, all it takes is that the user open the folder one time before the computer starts recording. The evidence trail is permanently saved as a series of subkeys in the users registry hive in what’s known as a Shellbag.
PhD student Yuandong Zhu and his team of researchers from the Centre for Cybercrime Investigation at the University College in Dublin, published a 9-page academic paper delineating how to scrutinize Shellbag data to extrapolate user activities.
Likewise, digital detective Allan S Hay released an abstruse 14 page whitepaper that explicates exactly how to use the Windows Registry Analyzer to reach a sensible verdict concerning user activities.
The SANS institute even jumped in the fray and composed a 32 page tome that breaks down the structure of Shellbangs and attempts to help ordinary people make sense of it.
Here’s the bottom line: if you don’t want the world knowing about the shells in your bag, Microsoft says we can safely delete them. Obviously, you’ll need to backup the registry first but to be honest: I’d rather forego fiddling with the registry by hand.
There are numerous keys to delete and it’s too easy to make a mistake.
Instead of enumerating the reams of registry keys to delete, I suggest using the Shellbag Analyzer & Cleaner by Goversoft.
The first time you run the tool and peruse the results you’ll be aghast at what you see.
I had 1,311 ShellBags with 182 traces of deleted folders on my system.
When you click Clean, a window opens asking you which specific ShellBags to remove.
You can specify just:
- Deleted folders
- Existing folders
- Search results
- Network and external devices or
- Flush the whole shebang at once.
I just want to pause for a moment again to underscore the importance of backing up the registry.
Whenever you or any application modifies the registry outside normal use (for example, outside of installing software) it’s always judicious to make a copy first so you can extricate yourself from unexpected events. Please take a moment to back it up before using this tool.
Once you have it all in order, click Ok and start cleaning out those dirty shells from your bags.
The Bottom Line
I think the second half of this year is going to see a massive surge in privacy protection software, services and education. We’re still on the eve of the NSA warrantless surveillance debacle which has caused us to discredit the government’s authority pertaining to privacy.
And although the government has attempted to redress its reputation, it hasn’t quite expiated itself yet. I imagine it will take an incalculable amount of time before the American people can even began to think about trusting it again.
But the good news is now that you know how to purge nosy registry keys, you’re one step ahead in our constant fight for privacy.
If you have any questions please share in the comments below!