I have also joined the forum to say thanks! I was playing with the ShellBag AnalyZer and PrivaZer last night. It meant I didn't get to bed until 2.30am and had to be up for work at 7am, but it was well worth it. I just hit the "clean" button and took out just under 7GB of info going back to 2008, I couldn't believe it as all the other "privacy cleaner" type programs missed so much and didn't do as they claimed. As a slightly paranoid home user all I can say is that both programs are great!
Shellbag articles For those of us (like me) who never even heard of this: http://computer-forensics.sans.org/blog/2011/07/05/shellbags http://windowsir.blogspot.com/2012/08/shellbag-analysis.html http://www.tzworks.net/prototype_page.php?proto_id=14 OK, so now I'm nervous. Tried Privazer last night & very clear (to the limits of my knowledge); worked great!
@ Privazer Re ShellBag cleaning Would it be possible to include an option to NOT clean the items that control things like, desktop repositions and resizes of windows etc, & just the privacy items instead ?
The bottom line here is that it's impossible to reliably hide anything in Windows (or in any other OS, for that matter). Compartmentalization and isolation are the only reliable strategies.
Not sure whether Happy Monkey was demonstrating incriminating coincidence or decrypting. Reading the above, (OOH!) I wonder if we shouldn't have a forensics topic here or somewhere to let us share tidbits we discover. Of course we would be read by the white (black?) hats in the industry who would take immediate steps, but 'immediate' is quite a sliding criterion; re: Adobe, Microsoft, et al. response to malware, or the current 'imminent danger' spin. I guess we have to take the Rumsfeldian attitude, and do what we can. "But there are also unknown unknowns – the ones we don’t know we don’t know." Anybody track down that CLSID yet? It was in my Shellbag analysis; XP, 2.
That particular CLSID {CCE6191F-13B2-44FA-8D14-324728BEEF2C} is visible only to ShellBag Analyzer & Cleaner. I cannot find it with ShellBagsView. Does it mean that ShellBag Analyzer & Cleaner is a better tool than ShellBagsView?
I've had no success determining what that CLSID is. So far, it doesn't show on any of the virtual XP systems I've made but it is present on a friends XP unit. On my XP unit, that CLSID appears in slot 448 according to ShellBag Analyzer. For the same slot number, ShellBagsView displays "new folder" instead of the CLSID. Unlike other "new folder" entries displayed by both utilities, there's no path information of any kind. A question for those who see this entry and/or CLSID. Are you or have you in the past used a ramdrive on that OS?
I've checked on 4 XP computers - ALL DELL. None of them had any ramdrive installed. Again, only ShellBag Analyzer shows that CLSID on all four computers. ShellBag View finds nothing. Vista, Windows 7, and Windows 8 don't have that CLSID.
Re - {CCE6191F-13B2-44FA-8D14-324728BEEF2C} I did a thorough Registry search, & cannot find it. I Wonder if it's because i'm on XP/SP2 not SP3 ? And/or i do not have ANY MS updates on here since install ? Also ShellBag AnalyZer + Cleaner didn't find it, or ANY other Registry entries !
FWIW, after sorting ShellBag Analyzer entries by Slot Number and looking through the list I see very many cases where the Slot Numbers are in order of first access. So slots 5, 6, 7 are c:\x, c:\x\y, and c:\x\y\z because I started at x and walked down to z. Although a small percentage don't seem to fit with this theory, most do and perhaps it holds. By applying this principle and looking for nearby entries with Last Visit stamps that are oldest, I can zero in on when I first accessed something that I access every day. If you try to apply this to that CLSID entry, do you learn anything?
Regarding Shellbag analyzer and cleaner - How can I check for updates? There is a "check updates" link in the GUI which leads to the home page with the latest version info, but how can I check which one I'm currently using? Short of going into file properties/details - or remembering it, which I'm both not fond of doing.
Have a look on the top of the window of Shellbag AnalyZer + Cleaner. There you can see the version you are using.
It's my bad. I use Windows 8 with dark title bar theme. There is no way to change title bar text color on Win8 so it stays black, which makes it pretty much unreadable/invisible on dark backgrounds. I completely forgot that there's a text on the titlebar. Thanks for the tip.
For privacy concern, I would suggest you to clean with default options of ShellBag AnalyZer + Cleaner which were defined on purpose to preserve your privacy as well as your folder views : - Shellbags of "Existing folders" are not cleaned to preserve your folder views. - Shellbags of "Deleted folders" are cleaned to preserve your privacy - Shellbags of 'Folders on network / external devices" are cleaned to prevent from recovery of your network / external devices activities. - Dates are scrambled for all existing folders to prevent from recovery of your folder activities. Hope it helps.
@The PrivaZer Team: On an XP SP3 box I... mounted a network drive (FAT32 USB flash drive connected to router) as J, a vanilla FAT32 USB flash drive as K, created/mounted a local (on system partition) Truecrypt file container file as L, and created/mounted a Truecrypt encrypted USB flash drive partition as M. I created some folders on each and browsed them. Then I ran v1.5 and performed an analyze. No entries showed up for K, which kind of surprised me. Entries for J, L, and M did show up as expected. I then ran clean using default settings, and performed another analyze. The J, L, and M entries remained. I'm not sure why J entries remained since "Folders on network/external devices" is checked by default. The fact that L and M entries showed up isn't terribly surprising to me based on the thinking that Truecrypt can obscure what the underlying device/location is. They all are, however, the types of entries some people would want to purge while possibly wanting to keep other entries. Is there support for NON-interactive use? I tried /?, -help, and --help cmdline parameters but received no help information that would explain how to specify cleaning options via cmdline. The ability to task schedule the program to periodically and automatically clean things using specific options would be very beneficial. So too, as touched upon above, would be the ability to specify finer grained *rules* so that only those entries of interest would be retained or deleted. Conceptually, someone might care more about preserving settings for Y:\blah\blah than purging those entries while at the same time want entries for Z:\foo\foo to be purged no matter what. Some admins may also want to clean the bags for more than one user. In in either an interactive fashion or scheduled automatic fashion. After cleaning with the "Existing folders" also option checked it appears that all entries were deleted except "My Computer", "Recycle Bin", and "Search Results". Attached is a partial screen cap showing what showed up after the more thorough clean. The items pointed to by red arrows have settings. I looked through the others and they appear to be mainly dangling intermediate keys you might say. I'd be curious to know why those keys remain. Thanks for the interesting tool and your participation here.
@TheWindBringeth 1. We will improve USB/network drives detection in v1.6 2. Command line will be added soon 3. "My Computer", "Recycle Bin", and "Search Results" belongs to "Control panel" ShellBags type, as I can see on your picture. Maybe we could add an option to remove "Control panel" ShellBags too
4. better display of ShellBag AnalyZer version number 5. improve usability for novice/advanced users (creation of "advanced options" section) If someone needs anything else to be added to v1.6, please ask.
You might consider constraining the window size upon launch so that it doesn't go full screen (particularly on larger displays). A minor nuisance for those that don't like such behavior, I'd agree, but there are people who feel offended and even threatened when apps do that. When it momentarily hides important status information they like to keep in sight for example. You could, as an option, remember window aspects and other settings in a local configuration file and thus remain portable friendly.
Sure, we will add this and command line also. Improvements to implement in v1.6 : 1. We will improve USB/network drives detection 2. Command line will be added soon 3. "My Computer", "Recycle Bin", and "Search Results" belongs to "Control panel" ShellBags type, as I can see on your picture. Maybe we could add an option to remove "Control panel" ShellBags too 4. better display of ShellBag AnalyZer version number 5. improve usability for novice/advanced users (creation of "advanced options" section) 6. Windows size fix 7. command line
I've downloaded some files from the MP3 player to my Windows 7 computer. After disconnecting, I ran ShellBag Analyzer & Cleaner three times, but couldn't get rid of one ShellBag MRU for that Sony MP3 player.
