SlideShare a Scribd company logo

Windows 7 forensics jump lists-rv3-public

Download as PPTX, PDF
CTIN
CTIN
Technology
1 of 32
Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Windows 7 Jump Lists • . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.” • . . . think of Jump Lists as your own mini Start Menu for your application. http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
Windows 7 Jump Lists Ramifications for forensic investigations: – History of items opened or modified by a particular application. • Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts. • But not based on shortcut (.LNK) files or registry stores. – Distinctive features: • Lists of MRU or MFU items organized by application. • List can retain several hundred items. • Items may remain on a list after their target is deleted from the volume. • Although items can be deleted from the lists, deletions can be detected. • Only a few items shown for any list; list can have hundreds more items than are shown.
Windows 7 Jump Lists Jump Lists are likely to be worth investigating in detail, when: – A user’s historic activity is at issue. • What files, SharePoint sites, or Web pages have been opened or accessed. – There is a concern that data files have been deleted or moved. – To show knowledge or intent. – Search term hits occur within Jump List files.
Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category
Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category User tasks and destinations are forms of links.
Windows 7 Jump Lists Jump List content is derived from two data files. – “Destination” files. • [AppID]automaticDestinations-ms • [AppID]customDestinations-ms
Windows 7 Jump Lists • Automatic Destinations: – List of “destinations.” – Automatically populated by the system. – Based on calls to SHAddToRecentDocs. • Collects information about data file usage. • Records information in the Recent Items folder, and the “using” application’s automatic destination file. • Sorted by recency (MRU) or frequency (MFU). C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations • Custom Destinations: – List of “destinations.” – Content maintained by the application. • Custom categories. • Tasks specific to the application. – Specified by the application using the ICustomDestinationList API. C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
Windows 7 Jump Lists Windows 7: Recent folder. – AutomaticDestinations folder. – CustomDestinations folder. – Shortcut (.lnk) files.
Windows 7 Jump Lists
Windows 7 Jump Lists
Windows 7 Jump Lists Note: – More automatic destination files. – Matched pairs share the same AppID – Custom destinations have temporary files. And so on.
Windows 7 Jump Lists • AppID is based on the process name or can be specified by the application. – Different command arguments for the same application may result in different AppIDs. • Applications can have more than one AppID. – The same process (with same command argument) should have the same AppID across systems. • AppID can be used to identify the application owning a destination file. • Permits the investigator to selectively investigate destination files.
Windows 7 Jump Lists AppID Application 1b4dd67f29cb1962 Explorer (task bar folder icon) 1bc392b8e104a00e Remote Desktop 23646679aaccfae0 Adobe Reader 9 x64 271e609288e1210a Access 2010 x86 28c8b86deab549a1 Internet Explorer x86 290532160612e071 WinRar x64 2b53c4ddf69195fc Zune x64 3094cdb43bf5e9c2 OneNote 2010 x86 5da8f997fd5f9428 Internet Explorer x64 74d7f43c1561fc1e Windows Media Player 9839aec31243a928 Excel 2010 x86 9b9cdc69c1c24e2b Notepad x64 9c7cc110ff56d1bd PowerPoint 2010 x86 a7bd71699cd38d1c Word 2010 x86 b8c29862d9f95832 InfoPath 2010 x86 b91050d8b077a4e8 Windows Media Center x64 be71009ff8bb02a2 Outlook x86 d64d36b238c843a3 InfoPath 2010 x86 e36bfc8972e5ab1d XPS Viewer Some AppIDs for common applications
Windows 7 Jump Lists Anatomy of the custom destination file. – One or more streams in the shell link file format. http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
Windows 7 Jump Lists Anatomy of the automatic destination file. – Structured Storage format. http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx – Containing one or more streams in the shell link file format.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: SS.exe. • Streams. • Higher number=more recent or more frequent.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: • DestList. • Order of presentation on the jump list.
Windows 7 Jump Lists Analysis of Custom Destination Files • Review the series of shell link items in a hex editor. Or • Carve and parse: – Using a hex editor, carve out each shell link item, saving each to a separate file. – Use a link file parser to review the extracted shell link streams. – Some streams may not be complete shell items, e.g. paths. Analysis of Automatic Destination Files • Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams. Or • Carve and parse: – Using structured storage parser/viewer, extract each stream to a separate file. – Review the DestLisk with a hex editor. – Use a link file parser to review the extracted shell link streams.
Windows 7 Jump Lists Carve and parse: Custom destination file. . . . Carve shell link item and copy or export to file.
Windows 7 Jump Lists Carve and parse: Custom destination file. 010 Editor with LNK template.
Windows 7 Jump Lists Carve and parse: Custom destination file. – File properties of the extracted shell link item.
Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Structured Storage Viewer. http://www.mitec.cz/ssv.html
Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Windows File Analyzer. http://www.mitec.cz/wfa.html
Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Stream list from MiTec’s Structured Storage Viewer.
Windows 7 Jump Lists OffVis: – Defragment the file – Reparse to identify deleted items. 21
Windows 7 Jump Lists OffVis: = deleted items.
Windows 7 Jump Lists Stream of a list item.
Windows 7 Jump Lists Stream of a removed item.
Windows 7 Jump Lists Quick review-automatic and custom destination files. – Jumplist File Extract. – http://www.regdat.com/
Windows 7 Jump Lists

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
File management
File managementFile management
File managementMohd Arif
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 

More Related Content

What's hot

Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
File management
File managementFile management
File managementMohd Arif
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 

What's hot (20)

Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Kali linux os
Kali linux osKali linux os
Kali linux os
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
File management
File managementFile management
File management
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 

Viewers also liked

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Nra
NraNra
NraCTIN
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
G Infomgnt
G InfomgntG Infomgnt
G InfomgntCTIN
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallationHarleen Johal
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Mark Matienzo
 

Viewers also liked (20)

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallation
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...
 

Similar to Windows 7 forensics jump lists-rv3-public

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Keiichiro Ono
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisSebastiano Panichella
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxnorwinadriatico
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityTeamstudio
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in DetailDamian T. Gordon
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 

Similar to Windows 7 forensics jump lists-rv3-public (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in Detail
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 

More from CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking OverviewCTIN
 
M Compevid
M CompevidM Compevid
M CompevidCTIN
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 

More from CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Raidprep
RaidprepRaidprep
Raidprep
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Windows 7 forensics jump lists-rv3-public

  • 1. Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Windows 7 Jump Lists • . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.” • . . . think of Jump Lists as your own mini Start Menu for your application. http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
  • 3. Windows 7 Jump Lists Ramifications for forensic investigations: – History of items opened or modified by a particular application. • Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts. • But not based on shortcut (.LNK) files or registry stores. – Distinctive features: • Lists of MRU or MFU items organized by application. • List can retain several hundred items. • Items may remain on a list after their target is deleted from the volume. • Although items can be deleted from the lists, deletions can be detected. • Only a few items shown for any list; list can have hundreds more items than are shown.
  • 4. Windows 7 Jump Lists Jump Lists are likely to be worth investigating in detail, when: – A user’s historic activity is at issue. • What files, SharePoint sites, or Web pages have been opened or accessed. – There is a concern that data files have been deleted or moved. – To show knowledge or intent. – Search term hits occur within Jump List files.
  • 5. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category
  • 6. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category User tasks and destinations are forms of links.
  • 7. Windows 7 Jump Lists Jump List content is derived from two data files. – “Destination” files. • [AppID]automaticDestinations-ms • [AppID]customDestinations-ms
  • 8. Windows 7 Jump Lists • Automatic Destinations: – List of “destinations.” – Automatically populated by the system. – Based on calls to SHAddToRecentDocs. • Collects information about data file usage. • Records information in the Recent Items folder, and the “using” application’s automatic destination file. • Sorted by recency (MRU) or frequency (MFU). C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations • Custom Destinations: – List of “destinations.” – Content maintained by the application. • Custom categories. • Tasks specific to the application. – Specified by the application using the ICustomDestinationList API. C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
  • 9. Windows 7 Jump Lists Windows 7: Recent folder. – AutomaticDestinations folder. – CustomDestinations folder. – Shortcut (.lnk) files.
  • 10. Windows 7 Jump Lists
  • 11. Windows 7 Jump Lists
  • 12. Windows 7 Jump Lists Note: – More automatic destination files. – Matched pairs share the same AppID – Custom destinations have temporary files. And so on.
  • 13. Windows 7 Jump Lists • AppID is based on the process name or can be specified by the application. – Different command arguments for the same application may result in different AppIDs. • Applications can have more than one AppID. – The same process (with same command argument) should have the same AppID across systems. • AppID can be used to identify the application owning a destination file. • Permits the investigator to selectively investigate destination files.
  • 14. Windows 7 Jump Lists AppID Application 1b4dd67f29cb1962 Explorer (task bar folder icon) 1bc392b8e104a00e Remote Desktop 23646679aaccfae0 Adobe Reader 9 x64 271e609288e1210a Access 2010 x86 28c8b86deab549a1 Internet Explorer x86 290532160612e071 WinRar x64 2b53c4ddf69195fc Zune x64 3094cdb43bf5e9c2 OneNote 2010 x86 5da8f997fd5f9428 Internet Explorer x64 74d7f43c1561fc1e Windows Media Player 9839aec31243a928 Excel 2010 x86 9b9cdc69c1c24e2b Notepad x64 9c7cc110ff56d1bd PowerPoint 2010 x86 a7bd71699cd38d1c Word 2010 x86 b8c29862d9f95832 InfoPath 2010 x86 b91050d8b077a4e8 Windows Media Center x64 be71009ff8bb02a2 Outlook x86 d64d36b238c843a3 InfoPath 2010 x86 e36bfc8972e5ab1d XPS Viewer Some AppIDs for common applications
  • 15. Windows 7 Jump Lists Anatomy of the custom destination file. – One or more streams in the shell link file format. http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
  • 16. Windows 7 Jump Lists Anatomy of the automatic destination file. – Structured Storage format. http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx – Containing one or more streams in the shell link file format.
  • 17. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis.
  • 18. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: SS.exe. • Streams. • Higher number=more recent or more frequent.
  • 19. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: • DestList. • Order of presentation on the jump list.
  • 20. Windows 7 Jump Lists Analysis of Custom Destination Files • Review the series of shell link items in a hex editor. Or • Carve and parse: – Using a hex editor, carve out each shell link item, saving each to a separate file. – Use a link file parser to review the extracted shell link streams. – Some streams may not be complete shell items, e.g. paths. Analysis of Automatic Destination Files • Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams. Or • Carve and parse: – Using structured storage parser/viewer, extract each stream to a separate file. – Review the DestLisk with a hex editor. – Use a link file parser to review the extracted shell link streams.
  • 21. Windows 7 Jump Lists Carve and parse: Custom destination file. . . . Carve shell link item and copy or export to file.
  • 22. Windows 7 Jump Lists Carve and parse: Custom destination file. 010 Editor with LNK template.
  • 23. Windows 7 Jump Lists Carve and parse: Custom destination file. – File properties of the extracted shell link item.
  • 24. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Structured Storage Viewer. http://www.mitec.cz/ssv.html
  • 25. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Windows File Analyzer. http://www.mitec.cz/wfa.html
  • 26. Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Stream list from MiTec’s Structured Storage Viewer.
  • 27. Windows 7 Jump Lists OffVis: – Defragment the file – Reparse to identify deleted items. 21
  • 28. Windows 7 Jump Lists OffVis: = deleted items.
  • 29. Windows 7 Jump Lists Stream of a list item.
  • 30. Windows 7 Jump Lists Stream of a removed item.
  • 31. Windows 7 Jump Lists Quick review-automatic and custom destination files. – Jumplist File Extract. – http://www.regdat.com/
  • 32. Windows 7 Jump Lists