Looking for:
Windows 7 forensics jump lists-rv3-public
Forensic Analysis of Jump Lists in Windows Operating System – IJERT.JumpListsView - View jump lists information stored by Windows 7
Jhala, A. Abstract The release of Microsoft Windows 7 introduceing a new interesting feature which known as Jump Lists that present the user with links to recently used or accessed files grouped on a application basis.
Windows 7 Jump Lists are a new interesting artifacts of the system usage which may have some significant values during forensic analysis where users different activities are of interest. In this paper, Section 2 gives an overview of actual backend information of the jump lists in the windows operating system.
Section 3 is described the AppID of the diferent windows applications. Section 5 presents the forensically evaluation of the solution. These AppIDs can be set by the application or operating system at application runtime.
When the application performs un certain actions, two types of files are genrated that are as below :. When the user performs different uncertain actions like opening files, using the remote desktop connection tools etc. The Jump Lists Appear to be associated produced through file extension analysis. Calculates the Windows operating system the AppID of an application, knowing as an application's AppID can help identify the identity of any given applications,when user activity is consist a special importance in an investigation.
The different files are named with 16 hexadecimal digits,. All experiments were conducted in a virtual environment, this was achieved by using virtual environment in VMWare Workstation 9.
A virtual environment was created with two virtual disks attached with the file system that consist NTFS format, the first task to hold the OS and the second task to store a series of different specimen texts, pictures, musics and videos files. Conducted experiments designed for a specific points with that a view to understanding the full architecture of the records maintained by windows operating system jump lists and were broken down into particular objectives.
The virtualisation environment was used to capture a snippets at the completion of the installation and than after an account was created. End of the process was allowed to complete by the newly created user logging on for the first time after that the virtual environment was shut down without accessing any files. All further experimentats was based upon counterfeit of the virtual environment where the password was applied to the user accounts and various tests were done to change the configuration of the different feature and update the records that maintained by it.
The modification was achieved by accessing the customize start menu dialog box and that dialog box was resulted in the creation of the registry key value. After the deselecting that particular option to store and display different afreshly seen items in the start menu. Further experiments identified that the data. In this either value is '0 'when the feature is disabled or '1' when enabled. The next step was to use the regedit application of the windows operating systems to access the value of the registry and that is.
None of these values were present at the time of first login. The different functional areas of the different files and folder structures and the windows operating system registries that are generally used to store relevant data to the jump lists that has been created within a current user account at the point that account logs in first.
When the system was configured as to showing the different hidden files and folders or not, the automatic destinations directory couldnt be seen when user attempt to navigate to hidden files through the windows explorer. Once jump lists b4dd67f29cb When option is deselecting it is to store and display recently used or opened items in the start menu of windows operatin system. Navigate to the AutomaticDestinations directory and deleting the compound binary files from the windows explorer.
A further entry entitled with DestList and it is also present and due to this element is structured, the little information is available relating to that the information contained within these jumplists elements. A DestList Structure appeared as the first 8 bytes of an entry were kind of hash of the data. As to finding the following observations were made :.
Any change occure in the data entry between the starting point of the unidentified 8 byte value before the data file path would result in any entries within the list after altered entry of data does not appearing in the jump list. The jump list was rewritten to amend the file path to show the correct information once again. Describe number of add or delete actions Increments as entries are incleded. Most of the created jump lists are record the paths of the files to their respective target files in plain text with unique unicode encoding.
The figure shows an encrypted view of windowsmedia file. Windows media player did not follow this trend but instead of this it uses a series of alphanumeric characters to document this information as shown in fig below:. The link file of elements in windows media player also are different but in some point to the different executable itself with the different path of the target files recorded as a key during the execution of program.
It has been noted windows media player that had recorded two entries for each and every file accessed. One stored with the file path as describe in figure and the other one with the full path. The respective file link elements replicated this with a point to the executable files and the other following the more convenient format with the different link associated files.
Not all applications that use all of the different fields that are available in a DestList entry. Below figure shows the difference between the amount of data recoded within the two different entries taken from the same DestList.
When the target files are moved on different drives between the registered machines. For which have been moved files to a drive with the registered type removable such as USB devices any venture to re open a file subjected to such a deletion or move results in an error message is displayed on user screen.
The initial item was pinned to the start menu as a new sub directory that known as start menu is created within the path. That is used to store a shortcut files relating to that item. Unpinning from the start menu of taskbar results in the shortcut file being removed from the start menu sub directory. Record of these items were pointed to the taskbar is added to the data in the different values favorites and Favorites Resolve too. Within the windows registry. The testing conducted showed that the overall number of items that pinned to the jump lists and that is recorded within the header of the DestList.
Pinning an entry to the jump list results in an update to 4 bytes in sequence in the DestLists and that record behave like a counter and changes from the default hexadecimal numeric value. That occurred as a results of pinning a single entry to jump lists are shown at below figure :. Expanding of files of the jump list and manuall the entries are deleted by using the remove from this list option the following tasks were noted:.
Whenever the last entry was removed from the list, entertained by the Jump List file was deleted from the AutomaticDestinations directory. The task of removing an entry within the jump list may change the header of the DestList element as a depicted in figure below that provides the elaboration into the structure of that part of that particular element. After the deselecting the option to store and display recently used as well as opened items in the start menu as well as the taskbar from the dialog box the was noted as follow :.
All the files of Jump List contained no pinned that elements were removed from the automatic destinations directory. Jump Lists for those that contain pinned items and all different entries were removed from that list and having only records that are relating to the pinned elements. The binary files of the jump lists can be fetched from the Automatic Destinations directory and running on a machine without changing the data that containing by them.
Jump Lists are newly introduced feature although windows operating system has been out for a while now some of the issues have already come up. Initial concurrence indicated that at least one jump list record may has been recovered from unallocated space of disk but it turned out that the different three problems of jump lists were from a live acquisition of an images and the applications in question could have been open on the system at a time of the acquisition.
This may represents an interesting valid problem that how do user deal with jump lists from live acquisition of images in the case of the apps were open during the acquisition? The answer is that user need to understand the binary structure of the jump lists because that is the only way to solve these types of issues.
When the tools are not working we need to either have the understand the formats to troubleshoot the issue ourself. From an analyst's point of view Jump Lists are a newly introduced technology and artifact in the windows operating systems that need to be understood better.
At this point we have considerable information which clearly indicates that these artifacts of windows operating system have value and should be parse in timelines for analysis.
There are different ways for jump lists to containing analytic attributes similar to the registry and registry values and aso to prefetch files that bound specific user actions. In addition the research area is necessary but that appears recently that jump lists also representing a persistent artifact which remains after deleted different files, folders and applications.
This work was supported by eSF Labs Ltd, Hydreabad,India, that provided the technical conditions and the machines used for the development and testing of the solution. Carvey, H. DOI : Kritarth Y. PDF Version View. Hyderabad , India A. Hyderabad , India Abstract The release of Microsoft Windows 7 introduceing a new interesting feature which known as Jump Lists that present the user with links to recently used or accessed files grouped on a application basis.
Fig 1. Jump List example associated with MS Paint. As shown in Fig. Fig 2. Taskbar and Start Menu Properties Dialog box. Fig 3. Customize Start Menu Dialog Box. Identifying the initial Jump List data. Modification in Config. Data present at first login. According to that different application was pinned and found in the windows registry value too. The windows registry value did not exist at this stage. Deleted date of Jump List. As to finding the following observations were made : Any change occure in the data entry between the starting point of the unidentified 8 byte value before the data file path would result in any entries within the list after altered entry of data does not appearing in the jump list.
The findings are supported that the entry which consist of first 8 bytes that is kind of hash. Some kind of counter. Windows media player did not follow this trend but instead of this it uses a series of alphanumeric characters to document this information as shown in fig below: Fig. A programs are pin to the start menu or and. That occurred as a results of pinning a single entry to jump lists are shown at below figure : Fig. Expanding of files of the jump list and manuall the entries are deleted by using the remove from this list option the following tasks were noted: A pinned data or entry would not removed until it had been unpinned form the jump list.
Initial concurrence indicated that at least one jump list record may has been recovered from unallocated space of disk but it turned out that the different three problems of jump lists were from a live acquisition of an images and the applications in question could have been open on the system at a time of the acquisition This may represents an interesting valid problem that how do user deal with jump lists from live acquisition of images in the case of the apps were open during the acquisition?
Leave a Reply Cancel reply Your email address will not be published.
Windows 10 Jump List and Link File Artifacts - Saved, Copied and Moved · DFIR Review
Msra windows7 forensics-troyla. Windows forensic artifacts. Windows registry forensics. Operating System Forensics. Windows Registry Forensics with Volatility Framework. In-depth forensic analysis of Windows registry files. Similar to Windows 7 forensics jump lists-rv3-public.
A beginners introduction to unix. Beauty Meets Brains: Attensity Analyze 6. Common linux ubuntu commands overview. Microsoft Lync Server Installation. Linux Desktop Operation - Session 1. Mcafee Epolicy Orchestrator. More from CTIN. Mounting virtual hard drives. Encase V7 Presented by Guidance Software august Part6 Private Sector Concerns.
Law Enforcement Role In Computing. Level1 Part7 Basic Investigations. What to Upload to SlideShare. A few thoughts on work life-balance. Is vc still a thing final. The GaryVee Content Model. Mammalian Brain Chemistry Explains Everything. Inside Google's Numbers in Designing Teams for Emerging Challenges. UX, ethnography and possibilities: for Libraries, Museums and Archives.
Related Books Free with a 14 day trial from Scribd. Uncommon Carriers John McPhee. The Art of War Sun Tsu. Related Audiobooks Free with a 14 day trial from Scribd. Elizabeth Howell. Windows 7 forensics jump lists-rv3-public 1. Windows 7 Jump Lists Ramifications for forensic investigations: — History of items opened or modified by a particular application. LNK files or registry stores. Windows 7 Jump Lists Jump List content is derived from two data files. Windows 7 Jump Lists Windows 7: Recent folder.
Windows 7 Jump Lists Windows 7 Jump Lists Note: — More automatic destination files. And so on. Windows 7 Jump Lists Anatomy of the custom destination file. Windows 7 Jump Lists Anatomy of the automatic destination file. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis. Windows 7 Jump Lists Carve and parse: Custom destination file.
Carve shell link item and copy or export to file. Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Windows 7 Jump Lists Stream of a list item. Windows 7 Jump Lists Stream of a removed item.
For the newly saved TD2ServerTest. Individual files were copied from one device to another without first opening the file. Session Two testing focused on the user activity of simultaneously copying or moving multiple files or folders between the three devices.
On February 8, , the following user activity was performed:. Creation of these LNK files were expected since those items were accessed to accept data.
Windows 10 did not create LNK Files for any of the following user activities:. In summary,. Windows Explorer Jump List entries were created for the destination folder locations when the user simultaneously copied multiple folders from one device location to another.
It was noted that while the simultaneous copying of multiple folders created Jump List entries, the simultaneous copying of files did not produce Jump List entries. Session Three testing involved opening a previously saved file using its default software application and then saving the file with a different file name on a different device.
Some of the opened and renamed files were edited while some were saved un-edited in their original data form. On April 15, , the following user actions were taken:. In each instance of user file activity performed in Session Three, Windows created or updated a LNK file for both the original file location and for the new saved file location.
This behavior was expected since the original file was opened and the newly saved file remained open after being saved in a new file location. In Session One, original files were opened and then saved to a different device location using the same filename.
Session One testing identified LNK files created for the files saved in the new device location with no LNK files created or updated for the original file location. Inconsistencies were observed from the data recorded within the LNK files created during Session Three. The Session Three LNK files were somewhat inconsistent in their recording of the target file created timestamp, the target file modified timestamp, and the target file size for newly created files.
The target timestamps and target file sizes were recorded for the single newly created text file. The target timestamps and target file size were recorded for the newly saved file April-Mileage.
The target timestamps and target file sizes were not recorded for the newly saved files Interview. The cause for the inconsistent recording of data for Microsoft Word file types within the LNK files is unknown and may require more testing. In the Session Three test, the analysis of LNK files and Jump List entries reflect those two artifacts report similar data for files which are opened and then saved using a different name on a different device.
Depending on the Jump List, slight variations were observed in the data recorded by the Jump List. A summary for each Jump List recording Session Three user file activity is detailed below:.
The Foxit Reader Jump List was the most consistent in its behavior. It recorded entries for both original file location as well as the newly saved location. For the original file, the entries consistently recorded the target file size with the target creation and modified timestamps unchanged.
For the newly saved file, the target created timestamp, the target modified timestamp, and the target file size were not recorded. For the Quick Access Jump List, separate entries were created for the original file location and the newly saved file location.
For the original file, the entry consistently recorded the target file size with the target creation and target modification timestamps left unchanged. Except when the newly saved file was a text file, the Quick Access Jump List entry did not record the target created timestamp, the target modified timestamp or the target file size.
When the newly saved file was a text file, the Quick Access Jump List recorded the target file timestamps and the target file size.
It is unknown why the Quick Access Jump List entry recorded data for a newly saved text file was different from the other file types tested.
The Notepad Jump List recorded separate entries for both the original file location and the newly saved file location. For the original file, the created and modified timestamps remained unchanged and the target file size was recorded.
These entries kept the target created and modified timestamps unchanged, and the entry recorded the target file size. The Microsoft Excel and Microsoft Word Automatic Jump Lists created separate entries for both the original file location and the newly saved file location. For the original location, the target file created and modified timestamps remain unchanged while the target file size was recorded.
For the newly saved location, the target created and target modified timestamps recorded when the date and time the new file was saved. Also, the new target file size was recorded for the newly saved location entries. Session Four testing involved the creation of new files without copying or moving the files from an original location. These newly created files were saved to one of the three devices using during testing.
On May 14, , the following user actions were taken:. Saved the archive to the Lexar thumb drive. A comparison with Exhibit 7 and Exhibit 1 LNK file results for single copied file test reflects similar results concerning saved files. Session Four testing included the creation of ten new files.
Similar to the Session One test results, seven of the eight created LNK files in Session Four did not record target file timestamps or the target file size. LNK files in Exhibit 1 did not record target file timestamps or target file size for any of the saved Microsoft Word files, and Exhibit 5 was inconsistent in its treatment of LNK files for Microsoft Word file types. As with LNK files in Exhibit 7, eight of the ten created files in Session Four testing had corresponding Jump List entries, although not all software application Jump Lists recorded entries.
Also similar to LNK files, the two created files which did not have a corresponding Jump List entry were 7-Zip archive files. They each recorded the created and modified timestamps as well as the target file sizes for each of the newly created files.
The Notepad Jump List entry created from Session Four did not record target file created or modified timestamps, and it did not record the target file size.
As the reader may also recall, the Exhibit 2 Session One Notepad Jump List entries recorded conflicting data; one file recorded target file timestamps and target file size while a second entry did not record timestamps and target file size. Comparing Session Three Jump List entries from Exhibit 6 showed Foxit Reader Jump List entries for newly saved files where the newly saved file was saved from an original file.
In Session Four, PDF files were created by using the Microsoft and Foxit print features to create the files, and were not just renamed from an original file. The Quick Access Jump List entries for file types. The target file created timestamp, the target file modified timestamp and the target file size were not recorded for the file types.
Session Five testing involved the copying of individual files, the simultaneous copying of files, and the renaming of individual files without opening any of the files. All files copied or renamed in Session Five were Microsoft Office files. On May 28, , the following user actions were taken:. After processing and analyzing the processed Recent folder upon completion of Session Five testing, no created or updated LNK files or Jump List entries were identified.
Windows 10 Jump List and LNK Files continue to be a source for forensic analysts to document user file and folder activity. Due to some changes in the Windows 10 LNK file and Jump List behaviors, analysts should understand these new behaviors to fully benefit from the analysis of user file and folder activity on a system. In addition to the traditional user file and folder access, Windows 10 has expanded, in limited circumstances, the documenting of user file and folder activity.
When an original file was opened using its default software application, then the Save As feature of the software was used to save the file using a different name on a different device, LNK files were created. This user file activity created or modified LNK files for both the original file location and the newly saved file location Session Three.
An exception to this behavior was when the 7-Zip software was used to create a new 7-Zip archive Session Four. LNK files were not created when an individual folder or simultaneous multiple folders were copied from one device to another Session One. A Windows Explorer Jump List entry was created for a destination folder when either an individual folder or multiple folders were simultaneously copied from one device to another.
Quick Access, a new feature to Windows 10 has its own dedicated Jump List. The Quick Access Jump List consistently recorded entries when a file was saved to a new device location. This newly saved file could have resulted either from the opening of an original file and re-saving the file to a new location; or from the creation of a new file with no interaction with an original file.
Quick Access Jump List entries were created irrespective of any software application Jump Lists which may have additionally recorded entries for the same user file activity.
While the Quick Access Jump List consistently recorded entries for newly saved files, the recording of entries for original file locations was varied Session One, Session Three, and Session Four.
When an original file was opened using its default software application, and the Save As feature of the software was used to save the file using either the same filename to a different location or a different filename to a different file location, the following software application Jump Lists 2 recorded entries for both the original file location and the newly saved device location 3 Session One and Session Three :. When a software application was used to create a new file with no interaction with an existing file using its Save As feature, the software application Jump List recorded an entry for this newly saved file.
The single exception was when a new 7-zip archive was created — No 7-zip Jump List was identified in the testing Session Four.
No LNK file or Jump List entry was created or modified when an individual file was copied, an individual file was renamed, or the simultaneous multiple copying of files from one device to another without the files first being opened Session One, Session Two and Session Five. No LNK file or Jump List entry was created or modified when an individual file or simultaneous multiple files were moved from one device to another Session One and Session Two.
Based on this inconsistency, other forensic artifacts such as ShellBags 4 should be used to analyze the opening of folders on a system under examination Session One, Session Two.
Finally, data recorded in LNK files and Jump List entries were not always consistent as to the target file timestamps and the target file size were recorded. November 6. Antonovich, Chris. April Jump List Forensics. Lee, Rob. Lee, Rob, and Chad Tillbury. Parsonage, Harry. Updated July Research, computerforensics parsonage. Patrick Leahy Center for Digital Investigation. Windows 10 Forensics. Singh, Bhupendra and Sing, Upasna.
Research, Elsevier. Trent, Rod. July
No comments:
Post a Comment