Windows 7 forensics jump lists-rv3-public

Forensic Examination of Windows 7 Jump Lists
Troy Larson
Principal Forensics Program Manager
TWC Network Security Investigations
NSINV-R3– Research|Readiness|Response

Windows 7 Jump Lists
What?
. . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.”
. . . think of Jump Lists as your own mini Start Menu for your application.
http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx

Why?
Ramifications for forensic investigations:
History of items opened or modified by a particular application.
Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts.
But not based on shortcut (.LNK) files or registry stores.
Distinctive features:
Lists of MRU or MFU items organized by application.
List can retain several hundred items.
Items may remain on a list after their target is deleted from the volume.
Although items can be deleted from the lists, deletions can be detected.
Only a few items shown for any list; list can have hundreds more items than are shown.

When?
Jump Lists are likely to be worth investigating in detail, when:
A user’s historic activity is at issue.
What files, SharePoint sites, or Web pages have been opened or accessed.
There is a concern that data files have been deleted or moved.
To show knowledge or intent.
Search term hits occur within Jump List files.

Pinned category
Destinations
(“nouns”)
Known categories
Custom categories
User Tasks
Tasks
(“verbs”)
Taskbar Tasks

Pinned category
Destinations
(“nouns”)
Known categories
Custom categories
User Tasks
Tasks
(“verbs”)
Taskbar Tasks
User tasks and destinations are forms of links.

Jump List content is derived from two data files.
“Destination” files.
[AppID]automaticDestinations-ms
[AppID]customDestinations-ms

Automatic Destinations:
List of “destinations.”
Automatically populated by the system.
Based on calls to SHAddToRecentDocs.
Collects information about data file usage.
Records information in the Recent Items folder, and the “using” application’s automatic destination file.
Sorted by recency (MRU) or frequency (MFU).
C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations
Custom Destinations:
List of “destinations.”
Content maintained by the application.
Custom categories.
Tasks specific to the application.
Specified by the application using the ICustomDestinationList API.
C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations

Windows 7: Recent folder.
AutomaticDestinations folder.
CustomDestinations folder.
Shortcut (.lnk) files.

Note:
More automatic destination files.
Matched pairs share the same AppID
Custom destinations have temporary files.
And so on.

AppID is based on the process name or can be specified by the application.
Different command arguments for the same application may result in different AppIDs.
Applications can have more than one AppID.
The same process (with same command argument) should have the same AppID across systems.
AppID can be used to identify the application owning a destination file.
Permits the investigator to selectively investigate destination files.

Some AppIDs for common applications

Anatomy of the custom destination file.
One or more streams in the shell link file format.
http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx

Anatomy of the automatic destination file.
Structured Storage format.
http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx
Containing one or more streams in the shell link file format.

Anatomy of the automatic destination file in a structured storage viewer: OffVis.

Anatomy of the automatic destination file in a structured storage viewer: SS.exe.
Streams.
Higher number=more recent or more frequent.

Anatomy of the automatic destination file in a structured storage viewer:
DestList.
Order of presentation on the jump list.

Analysis of Custom Destination Files
Review the series of shell link items in a hex editor.
Or
Carve and parse:
Using a hex editor, carve out each shell link item, saving each to a separate file.
Use a link file parser to review the extracted shell link streams.
Some streams may not be complete shell items, e.g. paths.
Analysis of Automatic Destination Files
Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams.
Or
Carve and parse:
Using structured storage parser/viewer, extract each stream to a separate file.
Review the DestLisk with a hex editor.
Use a link file parser to review the extracted shell link streams.

Carve and parse: Custom destination file.
. . .
Carve shell link item and copy or export to file.

010 Editor with LNK template.

File properties of the extracted shell link item.

Carve and parse: Automatic Destination Files.
MiTec’s Structured Storage Viewer.
http://www.mitec.cz/ssv.html

Carve and parse: Automatic Destination Files.
MiTec’s Windows File Analyzer.
http://www.mitec.cz/wfa.html

Stream list from MiTec’s Structured Storage Viewer.
Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file.

1
2
OffVis:
Defragment the file
Reparse to identify deleted items.

OffVis:
= deleted items.

Stream of a list item.

Stream of a removed item.

Quick review-automatic and custom destination files.
Jumplist File Extract.
http://www.regdat.com/

http://www.ctin.org	25
http://us-w1.rockmelt.com	3
http://twitter.com	1

Windows 7 forensics jump lists-rv3-public

by CTIN on Jun 06, 2011

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 29

Statistics

Windows 7 forensics jump lists-rv3-public — Presentation Transcript