ShellBag Plugins Reporting Created Time As Accessed Time

[GoogleCodeExporter]

When running the two ShellBags plugins -- ShellBags.py and ShellBagMRU.py -- 
against an NTUSER.DAT file, I noticed that it appeared to be reporting the same 
timestamp in the "Accessed" and "Created" columns. 

In comparing the output of these plugins to other tools, I determined that it 
appeared that the "Created" timestamp was being used to populate the "Accessed" 
timestamp for each shellbag entry.  

In reviewing the underlying code for these plugins, I identified lines of code 
where it appeared that the accessed time value was being set using 
cls.convert_DOS_datetime_to_UTC, the Created timestamps were being passed to 
cls.convert_DOS_datetime_to_UTC instead of the Accessed timestamps.

I've attached a patch that I believe corrects this problem.

What steps will reproduce the problem?
1. Run ShellBags.py and ShellBagMRU.py against an NTUSER.DAT file

What is the expected output? What do you see instead?
Expected output is different values in "Accessed" and "Created" columns; 
produced output has "Created" timestamp in both columns.

What version of the product are you using? On what operating system?
Registry Decoder 1.4 SVN R103 on Windows XP

Please provide any additional information below.
Patch attached.

Original issue reported on code.google.com by ja...@nvkmail.com on 28 Aug 2012 at 12:05

Attachments:

• shellbags_accessed.patch

[GoogleCodeExporter]

Original comment by atc...@gmail.com on 29 Aug 2012 at 1:24

[GoogleCodeExporter]

Thank you for bringing this to my attention.
Complete oversight on my part.
I've patched the code in R105 to fix the creation date/accessed date issue in 
ShellBagMRU, StreamMRU and ShellBags plugins.
Thanks again!

Original comment by Moor...@gmail.com on 6 Sep 2012 at 1:39

[GoogleCodeExporter]

Original comment by atc...@gmail.com on 21 Sep 2012 at 6:23

• Changed state: Fixed