How to extract shellbags from a harddrive image

Shellbags are UI elements that have been opened, are saved to the Windows registry, so that elements can be re-opened in the same state as when they were closed. This is useful, as it let’s you know what items have been opened and access in recent times.

sbag64.exe from TZWorks is great for this, and can be run against a regular image, or against a mounted partition.

In the case E01 images on Windows, mount the image with something like FTK, then run the following command:

sbags64.exe --partition -csv > image-shellbags.csv

An open-source alternative is