In an effort to consolidate some of the information regarding RegRipper in one consistent location, I started the RegRipper Google Code site. My hope is that this will provide a much more stable means for folks to find information regarding RegRipper.
Note: If you're going to use this plugin, and not use the EXE versions of the RegRipper tools (i.e., you're using the Perl scripts), be sure to update your copy of the Parse::Win32Registry module. The easiest way to do this, if you're using ActiveState Perl, is to use PPM:
C:\perl>ppm update parse-win32registry
Okay, so why would you care about viewing/analyzing this "shell bags" information? As mentioned here (albeit four years ago...), this information can point you toward a user's access to external storage devices, including external drives, shares, and network resources. I've seen that it can also include devices such as iPods and digital cameras. Fifth Sentinel talks about these artifacts here, and Alissa Torres has talked a great deal about these artifacts at SANS events. If your case involves determining a user's access to resources, this information can be extremely valuable, not only in and of itself, but also when included in or acting as a pivot or reference point during timeline analysis. Combine this information with other data, including documents/files that the user accessed, removable devices connected to the system, Jump Lists, etc., and you can build a pretty interesting picture of user activity. Another thing I really like about this artifact, as well as what's provided via the appcompatcache.pl plugin is that the data persists well after the original resource is no longer available, and some of the data structures include embedded time stamps.