Shellbags are UI elements that have been opened, are saved to the Windows registry, so that elements can be re-opened in the same state as when they were closed. This is useful, as it let’s you know what items have been opened and access in recent times.
sbag64.exe from TZWorks is great for this, and can be run against a regular image, or against a mounted partition.
In the case E01 images on Windows, mount the image with something like FTK, then run the following command:
sbags64.exe --partition -csv > image-shellbags.csv
An open-source alternative is http://www.williballenthin.com/forensics/shellbags/