SlideShare a Scribd company logo

Windows 7 forensics jump lists-rv3-public

Download as PPTX, PDF
CTIN
CTIN
Technology
1 of 32
Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Windows 7 Jump Lists • . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.” • . . . think of Jump Lists as your own mini Start Menu for your application. http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
Windows 7 Jump Lists Ramifications for forensic investigations: – History of items opened or modified by a particular application. • Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts. • But not based on shortcut (.LNK) files or registry stores. – Distinctive features: • Lists of MRU or MFU items organized by application. • List can retain several hundred items. • Items may remain on a list after their target is deleted from the volume. • Although items can be deleted from the lists, deletions can be detected. • Only a few items shown for any list; list can have hundreds more items than are shown.
Windows 7 Jump Lists Jump Lists are likely to be worth investigating in detail, when: – A user’s historic activity is at issue. • What files, SharePoint sites, or Web pages have been opened or accessed. – There is a concern that data files have been deleted or moved. – To show knowledge or intent. – Search term hits occur within Jump List files.
Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category
Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category User tasks and destinations are forms of links.
Windows 7 Jump Lists Jump List content is derived from two data files. – “Destination” files. • [AppID]automaticDestinations-ms • [AppID]customDestinations-ms
Windows 7 Jump Lists • Automatic Destinations: – List of “destinations.” – Automatically populated by the system. – Based on calls to SHAddToRecentDocs. • Collects information about data file usage. • Records information in the Recent Items folder, and the “using” application’s automatic destination file. • Sorted by recency (MRU) or frequency (MFU). C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations • Custom Destinations: – List of “destinations.” – Content maintained by the application. • Custom categories. • Tasks specific to the application. – Specified by the application using the ICustomDestinationList API. C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
Windows 7 Jump Lists Windows 7: Recent folder. – AutomaticDestinations folder. – CustomDestinations folder. – Shortcut (.lnk) files.
Windows 7 Jump Lists
Windows 7 Jump Lists
Windows 7 Jump Lists Note: – More automatic destination files. – Matched pairs share the same AppID – Custom destinations have temporary files. And so on.
Windows 7 Jump Lists • AppID is based on the process name or can be specified by the application. – Different command arguments for the same application may result in different AppIDs. • Applications can have more than one AppID. – The same process (with same command argument) should have the same AppID across systems. • AppID can be used to identify the application owning a destination file. • Permits the investigator to selectively investigate destination files.
Windows 7 Jump Lists AppID Application 1b4dd67f29cb1962 Explorer (task bar folder icon) 1bc392b8e104a00e Remote Desktop 23646679aaccfae0 Adobe Reader 9 x64 271e609288e1210a Access 2010 x86 28c8b86deab549a1 Internet Explorer x86 290532160612e071 WinRar x64 2b53c4ddf69195fc Zune x64 3094cdb43bf5e9c2 OneNote 2010 x86 5da8f997fd5f9428 Internet Explorer x64 74d7f43c1561fc1e Windows Media Player 9839aec31243a928 Excel 2010 x86 9b9cdc69c1c24e2b Notepad x64 9c7cc110ff56d1bd PowerPoint 2010 x86 a7bd71699cd38d1c Word 2010 x86 b8c29862d9f95832 InfoPath 2010 x86 b91050d8b077a4e8 Windows Media Center x64 be71009ff8bb02a2 Outlook x86 d64d36b238c843a3 InfoPath 2010 x86 e36bfc8972e5ab1d XPS Viewer Some AppIDs for common applications
Windows 7 Jump Lists Anatomy of the custom destination file. – One or more streams in the shell link file format. http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
Windows 7 Jump Lists Anatomy of the automatic destination file. – Structured Storage format. http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx – Containing one or more streams in the shell link file format.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: SS.exe. • Streams. • Higher number=more recent or more frequent.
Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: • DestList. • Order of presentation on the jump list.
Windows 7 Jump Lists Analysis of Custom Destination Files • Review the series of shell link items in a hex editor. Or • Carve and parse: – Using a hex editor, carve out each shell link item, saving each to a separate file. – Use a link file parser to review the extracted shell link streams. – Some streams may not be complete shell items, e.g. paths. Analysis of Automatic Destination Files • Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams. Or • Carve and parse: – Using structured storage parser/viewer, extract each stream to a separate file. – Review the DestLisk with a hex editor. – Use a link file parser to review the extracted shell link streams.
Windows 7 Jump Lists Carve and parse: Custom destination file. . . . Carve shell link item and copy or export to file.
Windows 7 Jump Lists Carve and parse: Custom destination file. 010 Editor with LNK template.
Windows 7 Jump Lists Carve and parse: Custom destination file. – File properties of the extracted shell link item.
Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Structured Storage Viewer. http://www.mitec.cz/ssv.html
Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Windows File Analyzer. http://www.mitec.cz/wfa.html
Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Stream list from MiTec’s Structured Storage Viewer.
Windows 7 Jump Lists OffVis: – Defragment the file – Reparse to identify deleted items. 21
Windows 7 Jump Lists OffVis: = deleted items.
Windows 7 Jump Lists Stream of a list item.
Windows 7 Jump Lists Stream of a removed item.
Windows 7 Jump Lists Quick review-automatic and custom destination files. – Jumplist File Extract. – http://www.regdat.com/
Windows 7 Jump Lists

Recommended

Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 

Recommended

Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it Compares
Lumension
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
Maxim Suhanov
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
n|u - The Open Security Community
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
JamieWilliams130
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
Shuvo Sarker
 

More Related Content

What's hot

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 

What's hot (20)

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it Compares
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 

Viewers also liked

Nra
NraNra
Nra
CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
CTIN
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
Mandy Jenkins
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
CTIN
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Basis Technology
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 

Viewers also liked (20)

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallation
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...
 

Similar to Windows 7 forensics jump lists-rv3-public

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
Sebastiano Panichella
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 

Similar to Windows 7 forensics jump lists-rv3-public (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in Detail
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 

More from CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Edrm
EdrmEdrm
Edrm
CTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
CTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
CTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
CTIN
 
M Compevid
M CompevidM Compevid
M Compevid
CTIN
 
L Scope
L ScopeL Scope
L Scope
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
CTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
CTIN
 

More from CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Raidprep
RaidprepRaidprep
Raidprep
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Windows 7 forensics jump lists-rv3-public

  • 1. Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Windows 7 Jump Lists • . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.” • . . . think of Jump Lists as your own mini Start Menu for your application. http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
  • 3. Windows 7 Jump Lists Ramifications for forensic investigations: – History of items opened or modified by a particular application. • Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts. • But not based on shortcut (.LNK) files or registry stores. – Distinctive features: • Lists of MRU or MFU items organized by application. • List can retain several hundred items. • Items may remain on a list after their target is deleted from the volume. • Although items can be deleted from the lists, deletions can be detected. • Only a few items shown for any list; list can have hundreds more items than are shown.
  • 4. Windows 7 Jump Lists Jump Lists are likely to be worth investigating in detail, when: – A user’s historic activity is at issue. • What files, SharePoint sites, or Web pages have been opened or accessed. – There is a concern that data files have been deleted or moved. – To show knowledge or intent. – Search term hits occur within Jump List files.
  • 5. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category
  • 6. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category User tasks and destinations are forms of links.
  • 7. Windows 7 Jump Lists Jump List content is derived from two data files. – “Destination” files. • [AppID]automaticDestinations-ms • [AppID]customDestinations-ms
  • 8. Windows 7 Jump Lists • Automatic Destinations: – List of “destinations.” – Automatically populated by the system. – Based on calls to SHAddToRecentDocs. • Collects information about data file usage. • Records information in the Recent Items folder, and the “using” application’s automatic destination file. • Sorted by recency (MRU) or frequency (MFU). C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations • Custom Destinations: – List of “destinations.” – Content maintained by the application. • Custom categories. • Tasks specific to the application. – Specified by the application using the ICustomDestinationList API. C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
  • 9. Windows 7 Jump Lists Windows 7: Recent folder. – AutomaticDestinations folder. – CustomDestinations folder. – Shortcut (.lnk) files.
  • 10. Windows 7 Jump Lists
  • 11. Windows 7 Jump Lists
  • 12. Windows 7 Jump Lists Note: – More automatic destination files. – Matched pairs share the same AppID – Custom destinations have temporary files. And so on.
  • 13. Windows 7 Jump Lists • AppID is based on the process name or can be specified by the application. – Different command arguments for the same application may result in different AppIDs. • Applications can have more than one AppID. – The same process (with same command argument) should have the same AppID across systems. • AppID can be used to identify the application owning a destination file. • Permits the investigator to selectively investigate destination files.
  • 14. Windows 7 Jump Lists AppID Application 1b4dd67f29cb1962 Explorer (task bar folder icon) 1bc392b8e104a00e Remote Desktop 23646679aaccfae0 Adobe Reader 9 x64 271e609288e1210a Access 2010 x86 28c8b86deab549a1 Internet Explorer x86 290532160612e071 WinRar x64 2b53c4ddf69195fc Zune x64 3094cdb43bf5e9c2 OneNote 2010 x86 5da8f997fd5f9428 Internet Explorer x64 74d7f43c1561fc1e Windows Media Player 9839aec31243a928 Excel 2010 x86 9b9cdc69c1c24e2b Notepad x64 9c7cc110ff56d1bd PowerPoint 2010 x86 a7bd71699cd38d1c Word 2010 x86 b8c29862d9f95832 InfoPath 2010 x86 b91050d8b077a4e8 Windows Media Center x64 be71009ff8bb02a2 Outlook x86 d64d36b238c843a3 InfoPath 2010 x86 e36bfc8972e5ab1d XPS Viewer Some AppIDs for common applications
  • 15. Windows 7 Jump Lists Anatomy of the custom destination file. – One or more streams in the shell link file format. http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
  • 16. Windows 7 Jump Lists Anatomy of the automatic destination file. – Structured Storage format. http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx – Containing one or more streams in the shell link file format.
  • 17. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis.
  • 18. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: SS.exe. • Streams. • Higher number=more recent or more frequent.
  • 19. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: • DestList. • Order of presentation on the jump list.
  • 20. Windows 7 Jump Lists Analysis of Custom Destination Files • Review the series of shell link items in a hex editor. Or • Carve and parse: – Using a hex editor, carve out each shell link item, saving each to a separate file. – Use a link file parser to review the extracted shell link streams. – Some streams may not be complete shell items, e.g. paths. Analysis of Automatic Destination Files • Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams. Or • Carve and parse: – Using structured storage parser/viewer, extract each stream to a separate file. – Review the DestLisk with a hex editor. – Use a link file parser to review the extracted shell link streams.
  • 21. Windows 7 Jump Lists Carve and parse: Custom destination file. . . . Carve shell link item and copy or export to file.
  • 22. Windows 7 Jump Lists Carve and parse: Custom destination file. 010 Editor with LNK template.
  • 23. Windows 7 Jump Lists Carve and parse: Custom destination file. – File properties of the extracted shell link item.
  • 24. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Structured Storage Viewer. http://www.mitec.cz/ssv.html
  • 25. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Windows File Analyzer. http://www.mitec.cz/wfa.html
  • 26. Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Stream list from MiTec’s Structured Storage Viewer.
  • 27. Windows 7 Jump Lists OffVis: – Defragment the file – Reparse to identify deleted items. 21
  • 28. Windows 7 Jump Lists OffVis: = deleted items.
  • 29. Windows 7 Jump Lists Stream of a list item.
  • 30. Windows 7 Jump Lists Stream of a removed item.
  • 31. Windows 7 Jump Lists Quick review-automatic and custom destination files. – Jumplist File Extract. – http://www.regdat.com/
  • 32. Windows 7 Jump Lists