# Standards - Shellbag Forensics
## Standards
- NIST SP 800-86: Guide to Integrating Forensic Techniques
- SWGDE Best Practices for Computer Forensics
## Tools
- SBECmd (Eric Zimmerman): Command-line shellbag parser
- ShellBags Explorer (Eric Zimmerman): GUI shellbag viewer
- Registry Explorer (Eric Zimmerman): Registry hive analysis
## Registry Locations
- NTUSER.DAT: Software\Microsoft\Windows\Shell\BagMRU and Bags
- UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\BagMRU and Bags
## MITRE ATT&CK
- T1083 - File and Directory Discovery
- T1005 - Data from Local System