Shellbags: parse UsrClass.dat

[ctrlaltca]

Hi, i've tried to use the Parse_Shellbags module and it works fine, but it seems to only load entries from ntuser.dat registry hive found on the user's profile directory. From my experience, most of the of shellbags entries are found in the %localappdata%\Microsoft\Windows\UsrClass.dat file inside the user profile. I've tried a dirty filename change at https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Parse_Shellbags/Shellbag_Parser.py#L139 and it seems to work just fine. Can you possibly integrate a change to have both ntuser.dat and usrclass.dat scanned when running the module? Thank you

[markmckinnon]

I have added the usrclass.dat file to the list of files to process. Pull a new copy of the shellbag_parser.py script and you should be all set. If there are any problems let me know otherwise please close the issue if it is complete. Thanks for drawing my attention to it so I can fix it.

Mark

[ctrlaltca]

Tested the new version, it works just fine. Thank you!