There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that I’ve learnt about are the shellbag entries. These keys are stored in the users ntuser.dat file, and store the viewing settings for users folders – e.g. the size, position and icon of a folder. Whilst folder sizes might not be useful, it does mean that every folder the user has visited at least once is stored in the registry; thereby giving a full account of all folders accessed, including network drives and removal storage drives. William Ballenthin gives a good account of how the shellbags are stored in the registry, and it’s pretty complicated...no simple way of getting the folder structures out.
Conveniently, he has also written a lovely Python script which can you download on his GitHub account that parses out the shellbag entries for you. I noticed that some of the stuff the Python script spits out is superfluous, and it also just prints out to screen. I therefore forked his script and removed some of the output and then made the script output to a CSV file with timestamps Excel would understand. You can download my version of the script on my GitHub account.
Snapfish fabric censorship unicode search terms exam gardening Mosaic intelligence new Art Attack foreman section breaks Opera Lake Como OCFA Number One rabbit vision abandoned buildings compSIA. Security+ shoes text favourites iPod touch birthday cards SANS GDPR Firebug coffee exams government thesis Barafu fabrics ACPO dinosaurs visualisation Karanga camp East Lothian facts Webscavator chain of custody page breaks QR codes Edinburgh Fringe reference management coasters asparagus résumé board games Mini forensics challenge Barcelona sewing arts fair draught excluder Internet Explorer moving flat papier mache Mesh computers