In short, what I'd done is this...based on a previous Forensic Lunch, during which Joachim Metz discussed the existence of MFT file reference numbers within some of the shell item structures. Specifically, starting with Vista, shell items pointing to files and folders appear to contain MFT file reference numbers. This is mentioned not only in Joachim's Windows Shell Item format specification, but it's also described on Willi Ballenthin's Shellbags analysis page.
Accepting this, I wanted to validate the information and see what it looks like in the real world. Using FTK Imager Lite, I extracted the MFT and USRCLASS.DAT hive file from my own Windows 7 system. Parsing the shellbags entries from the USRCLASS.DAT hive (using a customized RegRipper plugin), I was able to get a hex dump of specific shell items as all of the shellbags were being parsed. I redirected the output of the plugin to a file, and selected specific entries for analysis. Figure 1 illustrates one of those examples.
|Fig. 1: Sample Shell Item|
The translated DOSDate times are as follows:
M: 2011-11-29 20:27:44
A: 2011-11-29 20:27:44
B: 2011-11-29 20:27:44