Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Windows 7 forensics jump lists-rv3-public

on

  • 6,002 views

 

Statistics

Views

Total Views
6,002
Views on SlideShare
5,954
Embed Views
48

Actions

Likes
0
Downloads
207
Comments
0

3 Embeds 48

http://www.ctin.org 44
http://us-w1.rockmelt.com 3
http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Windows 7 forensics jump lists-rv3-public Windows 7 forensics jump lists-rv3-public Presentation Transcript

  • Forensic Examination of Windows 7 Jump Lists
    Troy Larson
    Principal Forensics Program Manager
    TWC Network Security Investigations
    NSINV-R3– Research|Readiness|Response
  • Windows 7 Jump Lists
    What?
    . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.”
    . . . think of Jump Lists as your own mini Start Menu for your application.
    http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
  • Windows 7 Jump Lists
    Why?
    Ramifications for forensic investigations:
    History of items opened or modified by a particular application.
    Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts.
    But not based on shortcut (.LNK) files or registry stores.
    Distinctive features:
    Lists of MRU or MFU items organized by application.
    List can retain several hundred items.
    Items may remain on a list after their target is deleted from the volume.
    Although items can be deleted from the lists, deletions can be detected.
    Only a few items shown for any list; list can have hundreds more items than are shown.
  • Windows 7 Jump Lists
    When?
    Jump Lists are likely to be worth investigating in detail, when:
    A user’s historic activity is at issue.
    What files, SharePoint sites, or Web pages have been opened or accessed.
    There is a concern that data files have been deleted or moved.
    To show knowledge or intent.
    Search term hits occur within Jump List files.
  • Windows 7 Jump Lists
    Pinned category
    Destinations
    (“nouns”)
    Known categories
    Custom categories
    User Tasks
    Tasks
    (“verbs”)
    Taskbar Tasks
  • Windows 7 Jump Lists
    Pinned category
    Destinations
    (“nouns”)
    Known categories
    Custom categories
    User Tasks
    Tasks
    (“verbs”)
    Taskbar Tasks
    User tasks and destinations are forms of links.
  • Windows 7 Jump Lists
    Jump List content is derived from two data files.
    “Destination” files.
    [AppID]automaticDestinations-ms
    [AppID]customDestinations-ms
  • Windows 7 Jump Lists
    Automatic Destinations:
    List of “destinations.”
    Automatically populated by the system.
    Based on calls to SHAddToRecentDocs.
    Collects information about data file usage.
    Records information in the Recent Items folder, and the “using” application’s automatic destination file.
    Sorted by recency (MRU) or frequency (MFU).
    C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations
    Custom Destinations:
    List of “destinations.”
    Content maintained by the application.
    Custom categories.
    Tasks specific to the application.
    Specified by the application using the ICustomDestinationList API.
    C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
  • Windows 7 Jump Lists
    Windows 7: Recent folder.
    AutomaticDestinations folder.
    CustomDestinations folder.
    Shortcut (.lnk) files.
  • Windows 7 Jump Lists
  • Windows 7 Jump Lists
  • Windows 7 Jump Lists
    Note:
    More automatic destination files.
    Matched pairs share the same AppID
    Custom destinations have temporary files.
    And so on.
  • Windows 7 Jump Lists
    AppID is based on the process name or can be specified by the application.
    Different command arguments for the same application may result in different AppIDs.
    Applications can have more than one AppID.
    The same process (with same command argument) should have the same AppID across systems.
    AppID can be used to identify the application owning a destination file.
    Permits the investigator to selectively investigate destination files.
  • Windows 7 Jump Lists
    Some AppIDs for common applications
  • Windows 7 Jump Lists
    Anatomy of the custom destination file.
    One or more streams in the shell link file format.
    http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
  • Windows 7 Jump Lists
    Anatomy of the automatic destination file.
    Structured Storage format.
    http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx
    http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx
    Containing one or more streams in the shell link file format.
  • Windows 7 Jump Lists
    Anatomy of the automatic destination file in a structured storage viewer: OffVis.
  • Windows 7 Jump Lists
    Anatomy of the automatic destination file in a structured storage viewer: SS.exe.
    Streams.
    Higher number=more recent or more frequent.
  • Windows 7 Jump Lists
    Anatomy of the automatic destination file in a structured storage viewer:
    DestList.
    Order of presentation on the jump list.
  • Windows 7 Jump Lists
    Analysis of Custom Destination Files
    Review the series of shell link items in a hex editor.
    Or
    Carve and parse:
    Using a hex editor, carve out each shell link item, saving each to a separate file.
    Use a link file parser to review the extracted shell link streams.
    Some streams may not be complete shell items, e.g. paths.
    Analysis of Automatic Destination Files
    Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams.
    Or
    Carve and parse:
    Using structured storage parser/viewer, extract each stream to a separate file.
    Review the DestLisk with a hex editor.
    Use a link file parser to review the extracted shell link streams.
  • Windows 7 Jump Lists
    Carve and parse: Custom destination file.
    . . .
    Carve shell link item and copy or export to file.
  • Windows 7 Jump Lists
    Carve and parse: Custom destination file.
    010 Editor with LNK template.
  • Windows 7 Jump Lists
    Carve and parse: Custom destination file.
    File properties of the extracted shell link item.
  • Windows 7 Jump Lists
    Carve and parse: Automatic Destination Files.
    MiTec’s Structured Storage Viewer.
    http://www.mitec.cz/ssv.html
  • Windows 7 Jump Lists
    Carve and parse: Automatic Destination Files.
    MiTec’s Windows File Analyzer.
    http://www.mitec.cz/wfa.html
  • Windows 7 Jump Lists
    Stream list from MiTec’s Structured Storage Viewer.
    Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file.
  • Windows 7 Jump Lists
    1
    2
    OffVis:
    Defragment the file
    Reparse to identify deleted items.
  • Windows 7 Jump Lists
    OffVis:
    = deleted items.
  • Windows 7 Jump Lists
    Stream of a list item.
  • Windows 7 Jump Lists
    Stream of a removed item.
  • Windows 7 Jump Lists
    Quick review-automatic and custom destination files.
    Jumplist File Extract.
    http://www.regdat.com/
  • Windows 7 Jump Lists