Statements (33)
| Predicate | Object |
|---|---|
| gptkbp:instanceOf |
gptkb:Windows_artifact
|
| gptkbp:analyzes |
digital forensic investigators
|
| gptkbp:canBe |
timeline analysis
detecting deleted folders identifying external device usage user activity reconstruction |
| gptkbp:canBeParsedBy |
forensic tools
RegRipper SANS SIFT Workstation ShellBags Explorer |
| gptkbp:category |
digital forensics
Windows internals |
| gptkbp:firstAppearance |
gptkb:Windows_XP
|
| gptkbp:foundIn |
gptkb:Windows_Registry
|
| gptkbp:operatingSystem |
gptkb:Microsoft_Windows
|
| gptkbp:presentIn |
gptkb:Windows_8
gptkb:Windows_10 gptkb:Windows_11 gptkb:Windows_7 gptkb:Windows_Vista |
| gptkbp:registryPath |
HKEY_USERS\<SID>\Software\Microsoft\Windows\Shell\BagMRU
HKEY_USERS\<SID>\Software\Microsoft\Windows\Shell\Bags |
| gptkbp:storesInformationAbout |
Windows Explorer folder views
user folder access |
| gptkbp:supportedBy |
deleted folders
folder structure folders accessed by user timestamps of folder access |
| gptkbp:type |
binary
|
| gptkbp:usedFor |
forensic analysis
|
| gptkbp:bfsParent |
gptkb:KAPE
|
| gptkbp:bfsLayer |
8
|
| https://www.w3.org/2000/01/rdf-schema#label |
Shellbags
|