shellbag - Paiet/FOR---Operating-System-Forensics GitHub Wiki

Explorer previewing files changed icons change dates in ascending order

The first and last time a user accessed a folder

the file was accessed or a removable media was used to access a file or folder by a user

hive file nt user dat user class dat user class dat references for user and folders

muralist can tell you the order of things accessed

• the last will be first

all mru list will end with four bytes

7 zip docent get recorded

microsoft windows swwi folder zero > number 10 > number 1 > number 1 mft entry number will be the same regardless of folder name change

target timestamp last access time child bags

• short name and long name in details shell tag type of os filesystem like ntfs mft entry and sequels determine each file/folder in the filesystem with unique entry numbers

bagger can show the order of folder access

• notice slot/block is used to correlate between the key from bag mru with bags key
• icon size, sort, an overview of folders can help with determining a user accessed a folder at a certain time and with other artifacts can help us prove if a user accessed other stuff

regripper/reggripper

• rr.exe
• bat for hive bat for output used for installing report