Uncategorized

Forensic Analysis of Windows 7 Jump Lists

Forensic Analysis of Windows 7 Jump Lists

Abstract

The release of Microsoft Windows 7 introduced a new feature known as Jump Lists which present the user with links to recently accessed files grouped on a per application basis.  The records maintained by the feature have the potential to provide the forensic computing examiner with a rich source of evidence during examinations of computers running the Microsoft Windows 7 Operating System.  This paper explores the type and level of information recorded by the Jump List feature, the structure of those records and the user actions which result in them being updated.

Introduction

The content of this article is based upon an MSc Thesis submitted by the author to Cranfield University in February 2012 but has been supplemented with observations and findings from analysis of Jump List files in actual investigations.

The article focuses primarily on artefacts relating to file accesses and although additional Jump List data relating to the use of individual programs has no focus in this paper, some work in this area has been conducted by Barnett (undated).

The Jump List feature provides the user with a graphical interface associated with each installed application which lists files that have been previously accessed by that application.  An example of that interface is shown at Fig. 1.

Image

Fig. 1 – Example of Jump List associated with Microsoft Paint.

As indicated in Fig. 1, it is also possible for a user to ‘pin’ items in order to retain them on a list.

The feature is enabled as standard and the default setting is to show the 10 most recently accessed files per application, although it is possible to adjust that figure to a maximum of 60.

Configuration changes can be achieved by a right mouse click on the Windows Logo button > Properties which reveals a dialog box similar to that shown at Fig. 2 which can be used to enable/disable the Jump List feature.

Image

Fig. 2 – Example of Windows 7 ‘Taskbar and Start Menu Properties’ Dialog box.

The number of items to be displayed on a Jump List can be adjusted through clicking of the ‘Customize…’ button which reveals a second dialog box, similar to that shown at Fig. 3

Image

Fig. 3 – Example of Windows 7 ‘Customize Start Menu’ Dialog Box.

Background Information

During the initial stages of the original project research was conducted in an attempt to identify what was already known about the topic of Jump Lists.

Whilst it was found that information available in the public domain was limited, some useful material was identified:

  1. Torres (2011) indicates that records of the items pinned to the Taskbar are stored in the directory ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar’.
  2. AccessData’s Registry Quick Find Chart (2010) indicated that details of applications that have been pinned to the Taskbar are also recorded in the Windows Registry values ‘Favorites’ and ‘FavoritesResolve’ at ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband’ and that details of applications subsequently removed are retained within those Registry values.
  3. Larson (undated) explains that details of accessed files are held within structured storage (Compound Binary) files which themselves are stored within the user’s profile at the location ‘%systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations’ and notes the following:
    1. The files are named with 16 hexadecimal digits, known as the AppID followed by the file extension ‘automaticDestinations-ms’.
    2. The AppID can be set by the application or by the OS at application runtime. (MSDN, 2011).
      1. A list of known AppIDs can be found at http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs
    3. The majority of records within the Compound Binary file are named with a hexadecimal numeric value and are structured in accordance with the shortcut (link) file specification.
    4. A further entry entitled ‘DestList’, is also present and although this element is structured, there is little information available relating to that structure or the information contained within these elements although it was clear that they do not follow the Shortcut specification.
  4. Carvey (2011) details a small proportion of the structure, including a 64 bit ’FILETIME’ object and indicates that there are further byte sequences present within the ‘DestList’.
  5. The specifications for both Compound Binary (MSDN, 2010 (a)) and Shortcut files (MSDN, 2010 (b)) are documented online and a number of tools are available to extract the individual elements from Compound Binary files, for example SSView (http://www.mitec.cz/ssv.html), OffVis (http://download.microsoft.com/download/1/2/7/127ba59a-4fe1-4acd-ba47-513ceef85a85/OffVis.zip) and JumpLister (http://www.woanware.co.uk/?page_id=266), however, none of these tools will fully parse the ‘DestList’ element within a Jump List file.
  6. Ard (2007) states that Jump Lists record the number of times that a file is opened.
  7. Li (2011) reports that the number of items to be shown on a Jump List is stored within the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Experimental Setup and Program.

All experimentation was conducted in a virtual environment.  Based upon available resources at the time of the research, this was achieved using VMWare Workstation 7.1.3 and a retail copy of Windows 7 Ultimate (x64) with no Service Packs.

The virtual machine was created with two attached virtual disks formatted with the NTFS file system; the first to hold the Operating System and the second to store a series of specimen text, picture, music and video files.

The date and time settings of the virtual machine and all clones made from it were deliberately maintained in British Summer Time (GMT+1) in order to assist in how dates and times are recorded by Jump Lists.

The experiments that were conducted were designed to address specific points with a view to understanding the full structure of the records maintained by Jump Lists and were broken down into specific objectives.

Identify initial Jump List data. 

The first stage in this process was to carry out a fresh installation of Windows 7.  The virtualisation software was used to capture a snapshot at the completion of the installation, a second after an account was created and a third after being presented with the option to apply a password or not.  Finally the process was allowed to complete by logging the newly created user on for the first time after which the VM was shut down without accessing any files.

This experiment was carried out twice; once where a password was applied and once without.

All further experimentation was based upon clones of the VM where a password was applied to the user account and various tests were conducted to change the configuration of the feature and update the records maintained by it.

Modify configuration settings.

This was achieved by accessing the ‘Customize Start Menu’ dialog box as depicted in Fig. 3 and changing the default values to 15 (for number of programs) and 20 (for number of recent Jump List items).

The next step was to use the ‘regedit’ application to access the Registry key identified by Li (2011) before changing the data of the value ‘Start_JumpListItems’ to 25 (0x19) before closing regedit and accessing the relevant dialog box again to note the displayed values.

Finally, the ‘Use Default Settings’ button was used to return both displayed values to 10.

Open files.

A number of the sample files held on the second virtual hard disk were opened using applications included with Windows 7; Notepad and WordPad for text, Windows Photo Viewer and Paint for picture files, Windows Media Player and Windows Media Centre for video, sound and pictures.

Pin and Unpin items to a Jump List, Taskbar and Start Menu.

One entry each from the Jump Lists for Notepad and Paint were pinned to their respective lists.

The picture viewing program Irfanview (http://download.cnet.com/IrfanView/3000-2192_4-10021962.html?part=dl-IrfanView&subj=dl&tag=button) and the productivity suite Microsoft Office 2007 were then installed using the default installation locations, before shortcuts to Irfanview, Microsoft Word, Notepad and Paint were pinned to the Taskbar and Start Menu.

Irfanview and Microsoft Word were used to open two picture files and two Microsoft Word documents respectively.  One entry from each of the displayed Jump Lists was pinned to the list; one from the Taskbar list and the other from the Start Menu List.

Irfanview was then unpinned from the Taskbar and Start Menu and uninstalled using the relevant link found in the programs listing presented on the Start Menu.

Microsoft Office 2007 was uninstalled via the Windows Control Panel without unpinning Microsoft Word from either the Taskbar or Start Menu.

Delete Jump List data.

A number of methods of deleting the entries from a Jump List were tested;

  1. Manually selecting each entry through a right mouse click > ‘Remove from this list’ option.
  2. Deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box (see Fig. 2).
  3. Navigating to the ‘AutomaticDestinations’ directory and deleting the Compound Binary Files through Windows Explorer.
  4. From a command prompt with the command ‘del C:\Users\Win7x64JL\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\* /Q’.

Establish the order of file accesses.

This experiment consisted of three steps;

  1. Open a series of files in a known order
  2. Pin a selection of Jump List items in a known order
  3. Open all of the files again in a known order.

Identify pinned entries.

No additional experimentation was required for this step as previous experiments had already included the action of pinning individual entries to various Jump Lists.

Determine how often a file has been accessed.

Although it had previously been noted by Ard (2007) that Jump Lists record the number of times that a file has been opened, no information was identified to indicate whether other types of file access are also counted.  The experimentation at this stage was intended to address this knowledge deficit.

Due to time constraints associated with the original project, all further experimentation focused on the use of the applications Notepad and Microsoft Paint.

A number of steps were taken to investigate this aspect of Jump Lists;

  1. Two sample files (one picture and one text) were opened a total of five times each by navigating to them through Windows Explorer and a double left mouse click.
  2. The various context menu options (with and without the use of the Shift key) available for picture and text files were each used to perform a function, i.e Print.
  3. Shortcut files were created on the Desktop and used to open sample files.
  4. The various options within the application toolbars were each used to perform a function.
  5. Entries appearing in the Jump List were used to re-open files and the additional options available through a right mouse click on an entry were also selected in turn.
  6. Sample files were opened from the Command Prompt with commands such as ‘notepad D:\somefile.txt’.

Identify whether the date/time of file access is recorded.

It has been noted previously at Section 2 above that Carvey (2011) identified the presence of a ‘FILETIME’ object within the structure of an entry recorded in the ‘DestList’ element of a Jump List, although the purpose of this value was unknown.  Analysis of changes to these byte sequences was performed on the various Jump List files which had been generated and updated as a result of the experiments conducted in order to determine the purpose of that object.

Establish any differences in how file accesses are recorded.

The various Jump List files generated throughout the testing phase were analysed in an effort to identify any differences in the way that certain actions are recorded.

Delete, move and rename Jump List target  files.

Experimentation was conducted to investigate the impact of these types of user actions on the records within a Jump List.  The experiments involved opening a number of sample files to generate an entry in a Jump List before testing the following actions;

  1. Moving the target within the same volume.
  2. Moving the target to a different volume.
  3. Deleting the target to the Recycle Bin.
  4. Deleting the target to the Recycle Bin and then deleting it from that location.
  5. Deleting the target, but bypassing the Recycle Bin by use of the Shift key.
  6. Renaming the target file on the original volume.

Install a known application to a non-default location.

The purpose of this experiment was to identify any differences in the value of the AppID generated by Windows 7 by installing an application to a non-standard location.

In this case, this was achieved by installing the program Irfanview to the path ‘C:\Irfanview’ instead of the default ‘C:\Program Files(x86)\Irfanview‘.  Following the installation two sample picture files were opened.

Results and Observations

This Section provides a summary of the experimental results and observations made.  For ease of reference the information is grouped into areas of interest.

Data present at first login.

The areas of the folder structure and the Windows Registry that are used to store data relevant to Jump Lists are created within a user account at the point that account first logs in.

A fresh install of Windows 7 resulted in the applications ‘Internet Explorer’, ‘Windows Explorer’ and ‘Windows Media Player’ being automatically pinned to the Taskbar without any user interaction as shown in Fig. 4 below.
Image

Fig. 4 – Screen capture of Windows 7 Start Menu and Taskbar at first login

The directory ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar’ was found to contain three shortcut (.lnk) files relating to those three applications.

References to those pinned applications were also found in the Windows Registry values ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\Favorites and FavoritesResolve’.

The Windows Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’ did not exist at this stage.

It was found that irrespective of whether the system was configured to show hidden files and folders or not, the ‘AutomaticDestinations’ directory could not be seen when attempting to navigate to it through Windows Explorer.

If, however, the full path was typed into the address bar, then the contents of the directory could be seen.  Navigating to it from a Command Prompt had no such problems.  Further analysis using forensic software did not show the ‘AutomaticDestinations’ directory to have the ‘Hidden’ attribute set.

One Jump List, named ‘1b4dd67f29cb1962.automaticDestinations–ms’ exists within the ‘AutomaticDestinations’ directory at first login which contains four entries relating to the ‘Libraries’ available through Windows Explorer.

Jump List Configuration Settings

Changing the number of Jump List items to display using the ‘Customize Start Menu’ dialog box resulted in the creation of the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Similarly, changing the number of recent programs to display resulted in the creation of a value named ‘Start_MinMFU’ in the same Registry key.

After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box, a new value entitled ‘Start_TrackDocs’ was created within the same Registry key.  Additional experimentation identified that the data in this value is either ‘0’ when the feature is disabled or ‘1’ when enabled.

None of these values were present at first login.

Using regedit to alter the date in the Registry values resulted in immediate updates to the respective checkboxes in the ‘Customize Start Menu’ dialog box.

The installation path of a program is taken into account by the OS when AppIDs are automatically generated.

Whilst it was found that uninstalling a program removed traces of items pinned to the Start Menu and Taskbar, it was also found that Jump Lists relating to that application remained intact.

Accessing files

There are numerous options available to a user in respect of file manipulation through Windows Explorer, context menus, application file menus and Jump Lists themselves.

Testing revealed that providing a period of at least 30 seconds elapsed between repeated instances of opening the same file, a counter in the ‘DestList’ entry would increment by 1.

Accessing files in a serial manner, i.e. one after the other, resulted in entries being made in the Jump List irrespective of the amount of time elapsed between each access.

The FILETIME object only changed when a user action caused the entry access counter incremented.

The only actions that were found to cause such updates to the FILETIME object and the access counter were those that resulted in the content of the target file being made available to the user, i.e. displaying a picture file on screen or printing it.

Table 1 below shows only the various user actions which resulted in an update to the access count of a Jump List.  It should be noted that the options ‘From Scanner or camera’ and Send in Email’ present in the file menu associated with Paint were not tested

Analysis of Jump List files in relation to live case work has shown that some applications including the Microsoft Office suite, Windows Explorer and Windows Media Player may record non whole numbers in the access count.  The reason for this difference has not been identified and experimentation has failed to identify a method to replicate the issue.

Left/Right mouse button Action
Paint
Left Double click
Left Link file
Right Preview
Right Set as background
Right Edit
Right Print
Right Open With
Notepad
Left Double click target
Left Double click Link file
Right Open
Right Print
Right Edit
Right Open With
File Menu
Option Jump List Updated Remarks
Paint
Open Paint + Explorer
Save Paint + Explorer Initial Save only
Save As Paint + Explorer
Notepad
Open Notepad + Explorer
Save Notepad + Explorer Initial Save only
Save As Notepad + Explorer
Jump List Menu
Action/Option Jump List Updated
Paint
Click Entry Paint + Explorer
Edit Paint + Explorer
Print Paint + Explorer
Notepad
Click Entry Notepad + Explorer
Open Notepad + Explorer
Print Notepad + Explorer

Table 1 – User actions resulting in access count update

Experimentation failed to identify any method to identify specifically which action caused the count value to increase.

The testing conducted indicates that files opened via a command prompt do not cause the access count to rise.

It was found that the Windows 7 default picture viewing program (Windows Photo Viewer) did not record the details of files accessed in a Jump List and nor was one created when that program was used.

Most of the generated Jump Lists recorded the file paths to their respective target files in clear text with Unicode encoding, which can be read with relative ease.

Windows Media Player, however, did not follow this trend but rather uses a series of alphanumeric (hexadecimal) characters to document this information as illustrated in Fig. 5 below:

Image

Fig. 5 – Example of file path recorded by Windows Media Player

The ‘link file’ elements in Windows Media Player are also different and point to the executable itself, with the file path of the target file recorded as a switch passed to the program when run.

It has been noted in a recent case, however, that Windows Media Player had recorded two entries for each file accessed, one with the file path stored as shown in Fig 5 and the other with the full path.  The respective ‘link file’ elements replicated this, with one pointing to the executable and the other following the more traditional format associated with link files. 

Not all applications use all of the fields available in a ‘DestList’ entry all of the time.  Fig. 6 below shows the differences between the amount of data recoded in two entries taken from the same ‘DestList’.

When target files are renamed on or moved between drives with the registered type ‘Fixed’ connected to the machine, subsequent opening of the target is from the Jump List entry is successful and results in the details recorded in the ‘DestList’ element being updated to reflect the change.

Files that have been ‘deleted’ to the Recycle Bin on drives of the same type are also located correctly and the user is given the opportunity to restore the target to its original location (without opening it and therefore not updating the access count) or to delete the entry from the Jump List.

For files that have been moved to a drive with the registered type ‘Removable’ such as USB devices or deleted from the Recycle Bin,  any attempt to re–open a file subjected to such a move or deletion results in an error message being displayed on screen.

The results of the experiments conducted in relation to this aspect of Jump List behaviour is shown at Table 2 below:

Serial Action Result Remarks
1 Cut and Paste to new Fixed Disk NTFS volume Opened.  File path amended to new location.
2 Cut and Paste to Removable Drive NTFS volume  Image ‘Yes’ removes the entry from the list.  ‘No’ leaves it in the list.
3 Cut and Paste to same

Fixed Disk NTFS volume

Opened.  File path amended to new location.
4 Right Mouse click > Delete (Sent to Recycle Bin)  Image ‘Restore’ returns the file to original location, but does not open it.

‘Delete’ removes entry from list but leaves the file intact in the Recycle Bin

5 Right Mouse click > Delete > Delete from Recycle Bin As Serial 2 result.
6 Shift key + Delete key (Bypass Recycle Bin) As Serial 2 result.
7 Rename Opened.  File path amended to new name.

Table 2 – Results of renaming, moving or deleting files

Order of Access

The list is presented on screen to the user and stored in the ‘DestList’ element in reverse order, i.e. the first entry at the bottom and the most recent at the top,  with each subsequent entry being appended to the list above the preceding entry.

Within the ‘Recent’ section of a Jump List, subsequent accesses to target files results in placing the entry for the most recently accessed at the top of that section when the list is presented on screen to the user and within the ‘DestList’ element.

The ordering of presentation of items pinned to a Jump List differed, with the sequence reflecting the order in which they were pinned, i.e. the first at the top of the section and the last at the bottom.

It was also found that when an entry is pinned, the data relating to it in the ‘DestList’ became static and was not re–ordered as further accesses occurred.  This was also true within the list presented to the user on screen, i.e. the entries were not re–ordered.

Pinning/Unpinning Items

Individual files can be pinned to the Jump List and/or the Start Menu, but not to the Taskbar.

At the point the first item is pinned to the Start Menu a new sub-directory named ‘StartMenu’ is created within ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\’ which is used to store a shortcut (.lnk) file relating to that item.

Unpinning the item from the Start Menu results in the shortcut (.lnk) file being removed from the ‘StartMenu’ sub-directory.

Unpinning all items from the Start Menu leaves the ‘StartMenu’ sub-directory intact.

When an program is pinned to the Start Menu or the Taskbar a shortcut (.lnk) file is created and stored in the relevant sub-directory of ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\’ .

A record of items pinned to the Taskbar is also added to the data in the values ‘Favorites’ and ‘FavoritesResolve’ within the Windows Registry key ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband’.  If those shortcut files are removed from the respective locations, either manually or during an application uninstallation process, the corresponding traces within the folder structure and Windows Registry are also removed, but any Jump Lists generated from the use of that program remain intact.

The testing conducted showed that the total number of items pinned to a Jump List is recorded in the header of the ‘DestList’,  with a hexadecimal count beginning at ‘0x01 0x00 0x00 0x00′

Pinning an entry to a Jump List results in an update to a 4 byte sequence in the ‘DestList’ record which acts as a counter and changes from the default value of ‘0xFF 0xFF 0xFF 0xFF’ to a hexadecimal numeric value. The count begins at hexadecimal ‘0x00 0x00 0x00 0x00’, i.e. 3 pinned entries will result in count values of ‘0x00 0x00 0x00 0x00’, ‘0x01 0x00 0x00 0x00’ and ‘0x02 0x00 0x00 0x00’.

The changes to the ‘DestList’ header (at offset 8) and an entry (at offset 280 in this example) which occurred as a result of pinning a single entry to a Jump List are shown at Fig. 6 below:

Image

Fig. 6 – Changes to ‘DestList’ element of Paint Jump List after pinning a single entry

Deleting Jump List Files

Input at the Command Prompt of ‘del C:\Users\Win7x64JL\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\* /Q’ resulted in the entire contents of the ‘AutomaticDestinations’ directory being deleted, irrespective of the pinned status of any element within the lists.

By navigating to the ‘AutomaticDestinations’ folder, it was possible to select and delete all of the Compound Binary Files it contained, regardless of the pinned status of the entries.

By expanding the Jump List and manually deleting the entries by using the ‘Remove from this list’ option, the following was noted:

  1. A pinned entry could not be deleted until after it had been unpinned.
  2. When the last remaining entry was removed from the list, the entire Jump List file was removed from the ‘AutomaticDestinations’ directory.

The action of removing an entry via a Jump List caused changes to the header of the ‘DestList’ element, as depicted in Fig. 7 below which provides further insight into the structure of that part of the element.

Before deletion – 2 entries in list

 Image

After deletion – 1 entry in list

 Image

Fig. 7 – Changes to ‘DestList’ element after removing an entry via the Jump List

After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box the following was noted:

  1. All Jump List files which contained no pinned elements were removed from the ‘AutomaticDestinations’ directory.
  2. For those Jump Lists which did contain pinned items, all other entries were removed from the list, leaving only records relating to the pinned elements.
  3. The Jump List binary files can be extracted from the ‘AutomaticDestinations’ directory on a running machine without changing the data they contain.

DestList’ Structure

As a result of background research and the experimentation conducted, it was possible to identify the majority of the ‘DestList’ structure, however, it was found that the purpose of certain areas of the ‘DestList’ structure remained unknown.

It appeared that the first 8 bytes of an entry were some kind of hash of the entry data. Minimal experimentation was conducted whereby a single byte in each of the identified byte sequences in the entry was amended in a hex editor.  As a result the following observations were made:

  1. Any change in the entry data between the start of the unidentified 8 byte value and the last byte before the file path data would result in any entries in the list after the altered one not appearing in the Jump List displayed on screen.
  2. Changing the file path had no effect and the correct target file was opened when the entry in the list was clicked.  In addition, the Jump List was re–written to amend the file path to show once again the correct information.
  3. These findings tended to support the theory that the first 8 bytes of an entry is some kind of hash.

The full structure of the ‘DestList’ element is presented in Table 3 (header) and Table 4 (entry) below:

Offset Description
DESTLIST HEADER 0 – 3 First Issued Entry ID.  Naturally appears to always be 1
4 – 7 Total number of current entries in Jump List
8 – 11 Total number of pinned entries
12 – 15 Floating point value.  Some kind of counter.  Initial value is ‘0x00 0x00 0x80 0x3F’ (=1) (For Windows Explorer ‘0x66 0x66 0x76 0x41’ (=15.4)).  Increments as new entries are added.  Removing an entry from the Jump List causes the value to decrement.
16 – 23 Last issued Entry ID number
24 – 31 Number of add/delete actions – Increments as entries are added.  Also increments as individual entries are deleted.

Table 3 – Structure of ‘DestList’ header

Offset Description
DESTLIST ENTRY 0 – 7 A checksum or hash of the entry.  Not known what type.
8 – 23 New Volume ID
24 – 39 Object ID
40 – 55 Birth Volume ID
56 – 71 Object ID
72 – 87 NetBIOS name of volume where the target file is stored – May record names of network shares
88 – 95 Entry ID number
96 – 99 Floating point counter to record each time the file is accessed (not necessarily opened) – Can produce unusual results (partial numbers)
100 – 107 MSFILETIME of last recorded access
108 – 111 Entry ‘pin’ status. ‘0xFF 0xFF 0xFF 0xFF’ = Unpinned.  Otherwise a counter starting at ‘0x00 0x00 0x00 0x00’.
112 – 113 Length of Unicode entry string data
114 – Entry string data

Table 4 – Structure of ‘DestList’ entry

Summary

  1. Configuration settings can be retrieved from the Windows Registry
    1. ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
      1. Number of items to display on Jump List
      2. Default value of 10
      3. Maximum value of 60
    2. ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Start_TrackDocs
      1. Status of feature
      2. Switched on by default
      3. If present the feature has been turned off at some point (0 = Jump Lists off. 1 = Jump Lists on)
    3. Only present if default values\state changed
  2. Jump List data stored in Compound Binary files at %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
    1. Can be shortened to %AppData%\MicrosoftAppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
    2. Most entries in Compound Binary files are named with a hexadecimal numeric value
      1. Structured as link files
    3. DestList records the order of access
  3. Not all applications use Jump Lists to record file accesses.
  4. The individual entries in the ‘DestList’ element of a Jump List contain a wealth of information regarding the target files to which they relate including:
    1. The Entry ID number, which can be used to ascertain the order in which the entries were added to the list and therefore the order in which files were first accessed.
    2. A count of file accesses which result in the contents being presented to the user.
      1. Different applications may record this information in different ways.
    3. The date and time (in GMT) of the last recorded access for each entry.
    4. A flag to indicate whether the file has been pinned to the list and, if it has, the order in which it was pinned.
    5. The full path of the target file.
  5. It is possible to identify if entries have been deleted from a list through:
    1. Disparity between the number of entries in the list as recorded in the ‘DestList’ header and the last issued Entry ID.
    2. Values missing from the numerical sequence used to name the individual entries.

_____________________________________________________________________________

References

AccessData (2010) Registry Quick Find Chart. [online] Available at: http://accessdata.com/media/en_us/print/papers/Registry_Quick_Find_Chart_9–27–10.pdf [Accessed: 21 Jul 2011].

Ard, C. (2007) Introduction to Windows 7. [online] Available at: http://info.publicintelligence.net/WIN7–TWO–Hour–Talk.pdf [Accessed: 17 Feb 2011].

Barnett, A. (n.d.) The Forensic Value of the Windows 7 Jump List. [online] Available at: http://www.alexbarnett.com/jumplistforensics.pdf [Accessed: 13 Sep 2011].

Carvey, H. ((a) 2011) Jump List DestList Structure. Windows Incident Response, [blog] 28 Jun 2011, Available at: http://windowsir.blogspot.com/2011/06/meetup–tools–and–other–stuff.html [Accessed: 8 Sep 2011].

Larson, T. (n.d.) Forensic Examination of Windows 7 Jump Lists. [online] Available at: http://www.slideshare.net/ctin/windows–7–forensics–jump–listsrv3public [Accessed: 7 Jun 2011].

Li, N. (2011) Change the Number of Recent Items Displayed in Windows 7 Jump List. [online] Available at: http://blogs.technet.com/b/win7/archive/2011/05/10/change–the–number–of–recent–items–displayed–in–windows–7–jump–list.aspx [Accessed: 21 Jul 2011].

MSDN (2010) (a) [MS–CFB]: Compound File Binary File Format. [online] Available at: http://msdn.microsoft.com/en–us/library/dd942138.aspx [Accessed: 26 Feb 2011].

MSDN (2010) (b) [MS–SHLLINK]: Shell Link (.LNK) Binary File Format. [online] Available at: http://msdn.microsoft.com/en–us/library/dd871305(PROT.10).aspx [Accessed: 17 Feb 11].

MSDN (2011) Application User Model IDs (AppUserModelIDs). [online] Available at: http://msdn.microsoft.com/en–us/library/dd378459(v=vs.85).aspx [Accessed: 26 Jul 2011].

Torres, A. (2011) Revealing Intent with Windows 7 Artifacts. Computer Enterprise and Investigations Conference.

_____________________________________________________________________________

Rob Lyness is a member of the British Army Royal Military Police, who has specialised as a forensic computer examiner since February 2007.

He began the MSc with Cranfield University in February 2009 and graduated in July 2012.

He was awarded the prize for the highest scoring project with his thesis ‘An Assessment of the Forensic Value of Windows 7 Jump Lists’.

Rob welcomes any questions regarding the content of this article.  Please feel free to PM.

Discussion

4 thoughts on “Forensic Analysis of Windows 7 Jump Lists

  1. Wow, this post is good, my younger sister is
    analyzing these kinds of things, so I am going to convey
    her.

    Posted by Jada | January 8, 2014, 5:45 am

Trackbacks/Pingbacks

  1. Pingback: Case Leads: DFIR Lessons from Sandy; The Advanced Persistent Intruder; The Secure Breach; Windows8 Forensics; South Carolina Tax Info Protected by "TWO FIREWALLS" - November 2, 2012

  2. Pingback: [Oct 2012] Newsletter | FORENSIC INSIGHT - November 8, 2012

  3. Pingback: Jumplists Forensic | cisnerof - March 7, 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 710 other followers

%d bloggers like this: