ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
There are multiple types of entries to specify different parts of the "path":
- network share
- file and directory
Some shell item entries contain date and time values which can be used in Timeline Analysis.