SeeShells is a configurable Windows desktop application which focuses on extracting specific Registry data known as ShellBags. SeeShells displays this information in a interactive timeline that highlights user events as they were recorded.
The goal of SeeShell is to assist digital forensics investigators in their course of actions and provide more information that can be used as evidence in a court of law.
In addition to the timeline, SeeShells provides exporting:
- CSV of all ShelBag information parsed.
- HTML representation of the timeline
- PDF for formal forensics reporting
SeeShells operates on both running machines (live) and registry hive files (offline).
- Windows Vista SP2 or newer
- NET Framework 4.6 or newer
JSON configuration files are used within the SeeShells application to provide information about Windows versions and their registry keys. This ensures that if any new discoveries are found in the future regarding ShellBag information, they can easily be updated in the configuration file, and the program can adjust accordingly.
See the Help Section for modifying SeeShells configurations.
- Sara Frackiewicz
- Klayton Killough @klaki892
- Aleksandar Stoyanov @AlekStoyanov
- Bridget Woodye @bridCquinn
- Yara As-Saidi @yara-58
- Spencer Ross @serspencer
- Jake Meyer @jaymey
- Josh Rueda @SecurityNoodle
- Devon Gadarowski @devon-gadarowski
- Kaylee Hoyt @hoytk6
- Richard Leinecker @RickLeinecker