Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
ShellBags, NTFS Alternate Data Streams, LNK shortcuts, hiberfil.sys, pagefile, slack space, VSS and Recycle Bin internals for Indian digital forensic examiners.
A Windows examiner who only knows the registry, event logs and prefetch is reading the loud half of the disk. The quiet half is where the interesting evidence usually lives. ShellBags survive after a USB stick is unplugged. Alternate Data Streams hide a megabyte of payload behind a zero-byte file. LNK shortcuts retain the MAC address of the host that created them even after the target is wiped. Hiberfil.sys carries a compressed RAM snapshot from days ago. Slack space holds the last cluster of a file that the user thought was overwritten. Volume Shadow Copies hold the file the user thought was deleted. Each of these is examinable with free tools, and each is a recurring source of marks in the digital forensics paper and in NFSU MSc vivas.
This topic is the second half of Windows artifact forensics, written for examiners who have already worked through registry hives, Event Logs and prefetch. It sits next to the first-responder volatility and imaging workflow that precedes any of this analysis, and feeds into data recovery and file carving for the deeper unallocated-space work. The framing throughout is Indian: CFSL Hyderabad's cyber wing triage workflow, state SFSL casework patterns, and the IT Act 2000 plus BSA 2023 Section 63 lens that defence counsel will apply when these artifacts are introduced in trial. We use Eric Zimmerman's command-line suite as the working toolkit because it is free, scriptable, and the de facto standard for SANS-style examination in Indian academic labs. The chain of custody work that wraps every artifact extraction is covered separately in chain of custody.
The registry remembers folders that the file system has forgotten.
ShellBags are the artifact that catches users who think unplugging a USB drive is enough. Whenever a user opens a folder in Explorer, Windows writes a record of that folder's view state (icon position, column widths, sort order) into the registry. The records persist in NTUSER.DAT under Software\Microsoft\Windows\Shell\BagMRU and \Bags, and in UsrClass.dat under the same path. The records are per-user, written even for folders on removable media, and survive long after the media is detached or the folder is deleted.
The forensic value is direct. ShellBags can prove that a specific folder existed on a specific drive at a specific time, even when no MFT entry survives because the drive was unplugged before imaging. In an internal data theft investigation at an Indian PSU bank in 2023, the absence of the alleged exfiltration drive at imaging was overcome by ShellBag records that named the drive's volume label, the folder structure on it, and the last-accessed timestamps for each folder.
The toolchain is short. Eric Zimmerman's ShellBagsExplorer is the GUI; SBECmd.exe is the headless command-line equivalent for batch work. Both parse BagMRU and Bags, reconstruct the folder hierarchy, and resolve the MRU (most recently used) ordering into a timeline.
SBECmd.exe -d "E:\Triage\Users\suspect\NTUSER.DAT" --csv .\out
SBECmd.exe -d "E:\Triage\Users\suspect\AppData\Local\Microsoft\Windows\UsrClass.dat" --csv .\out
The output CSV carries one row per folder, with the parent path reconstructed, the absolute path, the first-interacted and last-interacted timestamps, and the MRU position. The last-interacted timestamp is the field defence counsel will press: it shifts when the user re-opens the folder, so a single timestamp does not prove a single visit, but it does prove the folder was viewed at or after that time.
A file can carry a second file behind it, and dir won't tell you.
NTFS supports multiple named data streams per file. The default stream is what everyone sees as the file's content. A named stream is accessed with the syntax filename.txt:streamname, and from a normal directory listing it does not exist. The space it occupies counts against the volume but not against the visible file size.
The legitimate use most examiners meet first is Zone.Identifier. Every file Windows downloads from the internet gets a :Zone.Identifier stream attached with a small INI-format payload describing the source URL and the security zone. This is the Mark-of-the-Web (MOTW) mechanism. When a downloaded Office document throws a "Protected View" banner, MOTW is the reason.
The malicious uses are older than MOTW. A 2003 SANS paper documented iexplore.exe being hidden as c:\windows\system32\calc.exe:iexplore.exe. The technique has resurfaced in modern campaigns, including a wave of Indian banking-sector intrusions in 2022 where a credential stealer wrote its second-stage payload to a Zone.Identifier-shaped ADS on a benign-looking PDF in the Downloads folder. CERT-In's advisory CIAD-2022-0089 named the technique without naming the family.
| Tool | Platform | What it finds |
|---|---|---|
| dir /R | cmd.exe, Windows Vista+ | All ADS on visible files; size of each stream. |
| streams.exe (Sysinternals) | Windows | Named streams across a directory tree; can delete with -d. |
| LADS |
A 1 KB file pinning the host MAC address to a deletion event.
LNK files are the Windows shortcut format. Windows creates them automatically in two folders the examiner cares about:
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ for files opened in Explorer or via the Recent menu.C:\Users\<user>\AppData\Roaming\Microsoft\Office\Recent\ for documents opened in Word, Excel and PowerPoint.Each LNK file carries far more than the visible "shortcut to..." metadata. The on-disk format includes the absolute target path, the working directory, the target's MAC times at the moment the LNK was written, the target volume serial number, the volume label, the target file size, and a "tracking" block that records the source NetBIOS host name and, critically, the MAC address of the network interface the host was using when the LNK was created.
The MAC address is the part that catches people. A LNK file recovered from a suspect laptop can pin the suspect's hardware to a target file on a server share, because the LNK on the suspect machine carries that machine's own MAC address at creation time. Conversely, a LNK file recovered from a victim share names the host that opened the file. The Indian appellate record contains at least one cyber-stalking case (Karnataka, 2021) in which the trial court relied on LNK file MAC-address evidence to place the accused's laptop on the victim's shared drive.
LNK files survive after the target is deleted, because they are separate files in Recent\. They are also written when files are opened from removable media, which means a USB stick that was plugged in three months ago and never imaged still has an audit trail in Recent\ on the host.
Three files that bring volatile state back from the dead.
When Windows hibernates, it compresses the contents of RAM and writes the result to C:\hiberfil.sys. The compression is Xpress-Huffman and is documented; the format is parseable. Volatility (versions 2.6 and 3.x) handles hiberfil natively with the hibernation address space; Hibr2Bin from Comae converts a hiberfil.sys into a raw memory dump that any memory analysis tool can consume.
What survives in a hiberfil that does not survive in a normal live memory image is the most counterintuitive part of the topic. A live winpmem or magnet RAM capture gives you the current state of memory. A hiberfil from three days ago gives you the state at the moment of the last hibernation, which may include processes that have since exited, decrypted credentials that were swapped back out, and clipboard contents that were never re-touched. In an Indian state-police cybercrime investigation against an insurance-fraud ring in 2024, a hiberfil from a seized laptop yielded a Telegram session token that had been rotated out of live memory by the time the device was imaged.
The three places a 'deleted' file goes before it is really gone.
Slack space is what happens because clusters are bigger than files. A file of 100 bytes allocated to a 4 KB cluster leaves 4,096 minus 100 equals 3,996 bytes of slack at the end of the cluster. That slack carries whatever was there before. File slack is the formal term for the bytes between end-of-file and end-of-cluster. RAM slack is the narrower band between end-of-file and end-of-sector inside the last sector of the file, historically padded with zeroed bytes from RAM at write time. Drive slack is unallocated clusters within the volume that have not been zeroed.
What a real triage day looks like, end to end.
The artifact-by-artifact view is for learning. The casework view is integrated. A typical SFSL Mumbai cyber wing triage of a seized Windows laptop runs like this.
Which two registry hives carry ShellBag entries on a modern Windows 11 system?
| Windows GUI |
| Legacy tool, GUI listing of ADS by directory. |
| AlternateStreamView (NirSoft) | Windows GUI | Recursive scan of a drive or path; size and timestamp per stream. |
| fsutil file streams | Windows admin cmd | Per-file enumeration of streams with size. |
The investigator's heuristic is to compare the visible file size against the on-disk size reported by streams.exe or fsutil. A 12 KB image whose primary stream is 12 KB and whose total on-disk allocation is 3.2 MB is hiding 3.2 MB behind a named stream. The stream content is then extracted with more < filename.txt:streamname > extracted.bin from cmd.exe, or with Get-Content -Stream streamname filename.txt from PowerShell.
pagefile.sys is virtual memory that Windows has paged out of RAM to disk. Anything that was in memory long enough to be paged is fair game: decrypted database keys, cleartext credentials a browser had open, fragments of network packets, parsed JSON tokens. bulk_extractor from Simson Garfinkel parses pagefile and swapfile alongside hiberfil and extracts the universe of structured strings: URLs, RFC822 headers, credit card numbers, AES key candidates, base64 blobs. The CFSL Hyderabad cyber wing standard triage is to run bulk_extractor on all three files before any deeper carving.
swapfile.sys is newer. Introduced in Windows 8.1, it backs the suspension of Universal Windows Platform (UWP) and modern Store apps. It is smaller than pagefile.sys and structured differently, but the same string-extraction approach works.
Volume Shadow Copies sit one layer up. The Volume Shadow Copy Service maintains block-level snapshots of NTFS volumes under C:\System Volume Information\. Each snapshot is a point-in-time view of the volume that lets the user roll back via System Restore. For an examiner, each snapshot is a recoverable copy of files that the current volume no longer has, or that have been overwritten with malicious content.
The standard toolchain is vshadowmount from the libvshadow project to mount each snapshot at a path on the analysis host, then any standard tool to analyse the mounted view. ShadowExplorer is the GUI for the same job. KAPE has a built-in VSS module that enumerates and exports snapshots in one run.
Recycle Bin under modern Windows lives at C:\$Recycle.Bin\<SID>\, where <SID> is the user's security identifier. Each deleted file becomes a pair: an $I file with metadata (original path, size, deletion timestamp) and an $R file with the content. Eric Zimmerman's RBCmd.exe parses the pair and outputs a CSV with original path, deletion time and recovered content reference.
The CFSL Hyderabad cyber wing has documented a similar workflow internally, with an additional step for malware triage using YARA scans across the artifact dump. For NFSU digital forensic examiners, the syllabus expects familiarity with KAPE, Magnet AXIOM, X-Ways, EnCase and FTK by name. KAPE is free and is what most state SFSLs are standardising on for triage; AXIOM and X-Ways are the paid analysis suites; EnCase and FTK are the legacy big two that older labs still own licences for.