{"id":17260634,"url":"https://github.com/williballenthin/shellbags","last_synced_at":"2025-05-08T19:37:36.417Z","repository":{"id":1905544,"uuid":"2832673","full_name":"williballenthin/shellbags","owner":"williballenthin","description":"Cross-platform, open-source shellbag parser","archived":false,"fork":false,"pushed_at":"2023-01-31T17:43:54.000Z","size":323,"stargazers_count":149,"open_issues_count":3,"forks_count":36,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-05-04T05:02:12.366Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/williballenthin.png","metadata":{"files":{"readme":"README.txt","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-11-23T02:12:46.000Z","updated_at":"2025-04-28T08:35:41.000Z","dependencies_parsed_at":"2023-02-16T21:45:42.185Z","dependency_job_id":null,"html_url":"https://github.com/williballenthin/shellbags","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/williballenthin%2Fshellbags","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/williballenthin%2Fshellbags/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/williballenthin%2Fshellbags/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/williballenthin%2Fshellbags/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/williballenthin","download_url":"https://codeload.github.com/williballenthin/shellbags/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253135953,"owners_count":21859708,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-15T07:48:52.528Z","updated_at":"2025-05-08T19:37:36.365Z","avatar_url":"https://github.com/williballenthin.png","language":"Python","funding_links":[],"categories":["Forensics"],"sub_categories":[],"readme":"\nshellbags.py\n===============\n\nIntroduction\n------------\nshellbags.py is a cross-platform, open-source shellbag parser.\nThe webpage\nhttp://www.williballenthin.com/forensics/shellbags/index.html\ndescribes the algorithm in detail.\nNote that shellbags.py was originally developed as a sample\nfor python-registry, so this repository is a fork that contains\nthe python-registry history through version v0.2.4.1.\nThe initial shellbags.py tag v0.5.\n\nDependencies\n------------\nshellbags.py requires Python2.7, argparse, six and python-registry.\n\nUsage\n-----\nshellbags.py accepts the path to a raw Windows Registry hive.\nThis hive should be acquired forensically.\nTo ensure interoperability, output is formatted according to the Bodyfile specification by default.\n\nParameters:\nusage: shellbags.py [-h] [-v] [-p] [-o {csv,bodyfile}] file [file ...]\n\nParse Shellbag entries from a Windows Registry.\n\npositional arguments:\n  file        Windows Registry hive file(s)\n\noptional arguments:\n  -h, --help  show this help message and exit\n  -v          Print debugging information while parsing\n  -p          If debugging messages are enabled, augment the formatting with\n              ANSI color codes\n  -o {csv,bodyfile}  Output format: csv or bodyfile; default is bodyfile\n\nExample: \n$ python shellbags.py ~/projects/registry-files/willi/xp/NTUSER.DAT.copy0\n0|\\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200\n0|\\My Documents\\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456\n0|\\My Documents\\My Dropbox (Shellbag)|0|0|0|0|0|1281989096|1282762296|18000|1281989050\n0|\\My Documents\\My Music (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987154\n0|\\My Documents\\My Pictures (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987152\n0|\\My Documents\\My Dropbox (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200\n0|\\My Documents\\My Dropbox\\Tools (Shellbag)|0|0|0|0|0|1281989092|1281989092|18000|1281989088\n0|\\My Documents\\My Dropbox\\Tools\\Windows (Shellbag)|0|0|0|0|0|1281989140|1281989140|18000|1281989092\n0|\\My Documents\\My Dropbox\\Tools\\Windows\\7zip (Shellbag)|0|0|0|0|0|1281993604|1284668784|18000|1281989140\n0|\\My Documents\\My Dropbox\\Tools\\Windows\\Adobe (Shellbag)|0|0|0|0|0|1281994956|1284668784|18000|1281989140\n0|\\My Documents\\My Dropbox\\Tools\\Windows\\Bitpim (Shellbag)|0|0|0|0|0|1281994656|1284668784|18000|1281989140\n\nWanted\n------\n*) Bug reports.\n*) Feedback.\n\nLicense\n-------\nshellbags.py is released under the Apache 2.0 license.\n\nSources\n-------\n1) \"Using shellbag information to reconstruct user activities\" by \n   Yuandong Zhu, Pavel Gladyshev, and Joshua James which may be\n   accessed http://www.dfrws.org/2009/proceedings/p69-zhu.pdf\n2) \"MiTeC Registry Analyzer\" by Allan S Hay, which may be accessed at\n   http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf\n3) \"sbag\" by TZWorks, which may be accessed at \n   http://www.tzworks.net/prototype_page.php?proto_id=14\n4) \"Shell BAG Format Analysis\" by Yogesh Khatri, which may be accessed\n   at https://42llc.net/?p=385\n5) \"Windows Shell Item format specification\" by Joachim Metz, which\n   may be accessed at http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf\n   \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwilliballenthin%2Fshellbags","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwilliballenthin%2Fshellbags","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwilliballenthin%2Fshellbags/lists"}