ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
There are multiple types of entries to specify different parts of the "path":
- network share
- file and directory
Some shell item entries contain date and time values which can be used in Timeline Analysis.