Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(AutomaticDestinations)
(Tools: added Belkasoft product)
 
(43 intermediate revisions by 4 users not shown)
Line 3: Line 3:
  
 
== Jump Lists ==
 
== Jump Lists ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
+
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
 
+
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
  
 +
Jump Lists come in multiple flavors:
 +
* automatic (autodest, or *.automaticDestinations-ms) files
 +
* custom (custdest, or *.customDestinations-ms) files
 +
* Explorer StartPage2 ProgramsCache Registry values
  
 
=== AutomaticDestinations ===
 
=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations<br>
+
The AutomaticDestinations Jump List files are located in the user profile path:
 +
 
 +
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 +
 
 
Files: *.automaticDestinations-ms
 
Files: *.automaticDestinations-ms
  
'''Structure'''<br>
+
==== Structure ====
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
The AutomaticDestinations Jump List files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
<p>
+
* hexadecimal numbered, e.g. "1a"
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
* DestList
  
<table border="1">
+
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut (LNK)]]. One could extract all the streams and analyze them individually with a LNK parser.
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
 
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
 
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
{| class="wikitable"
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
|-
</table>
+
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x48
 +
| 16 bytes
 +
| NetBIOS name of the system; padded with zeros to 16 bytes
 +
|-
 +
| 0x58
 +
| 8 bytes
 +
| Stream number; corresponds to the numbered stream within the jump list
 +
|-
 +
| 0x64
 +
| 8 bytes
 +
| Last modification time, contains a [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] structure
 +
|-
 +
| 0x70
 +
| 2 bytes
 +
| Path string size, the number of characters (UTF-16 words) of the path string
 +
|-
 +
| 0x72
 +
| ...
 +
| Path string
 +
|-
 +
|}
  
 
=== CustomDestinations ===
 
=== CustomDestinations ===
Path: C:\Users\user\Recent\CustomDestinations<br>
+
The CustomDestinations Jump List files are located in the user profile path:
 +
 
 +
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
 +
 
 
Files: *.customDestinations-ms
 
Files: *.customDestinations-ms
  
Structure
+
==== Structure ====
 +
CustomDestinations Jump List files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
 +
 
 +
== See also ==
 +
* [[List of Jump List IDs]]
 +
* [[OLE Compound File]]
 +
* [[Windows]]
 +
 
 +
== External Links ==
 +
* [http://www.codeproject.com/Articles/36561/Windows-7-Goodies-in-C-Jump-Lists Windows 7 Goodies in C++: Jump Lists], by [[Michael Dunn]], May 19, 2009
 +
* [http://mikeahrendt.blogspot.ch/2011/04/jump-lists-in-windows-7-and-possible.html Jump Lists in Windows 7 and Possible Forensic Implementations], by [[Mike Ahrendt]], April 3, 2011
 +
* [http://www.alexbarnett.com/jumplistforensics.pdf The Forensic Value of the Windows 7 Jump List], by [[Alexander G Barnett]], April 18, 2011
 +
* [http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public Forensic Examination of Windows 7 Jump Lists], by [[Troy Larson]], June 6, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], August 17, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis-pt-ii.html Jump List Analysis, pt II], by [[Harlan Carvey]], August 24, 2011
 +
* [http://windowsir.blogspot.ch/2011/12/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], December 28, 2011
 +
* [http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ Forensic Analysis of Windows 7 Jump Lists], by [[Rob Lyness]], October 2012
 +
* [https://github.com/libyal/assorted/blob/master/documentation/Jump%20lists%20format.asciidoc Jump lists format], by the [[libyal|libyal project]], July 2014
 +
* [http://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html Jump lists in depth (includes changes from Windows 10)], by [[Eric Zimmerman]], Feb 2016
  
== AppIDs ==
+
== Tools ==
[[List of Jump List IDs]]
+
* [[Belkasoft Evidence Center]]. One of functions of this tool is search (including carving) and analysis of jumplists. A wide list of applications is supported (Jump list IDs).
 +
* [http://tzworks.net/prototype_page.php?proto_id=20 TZWorks LLC: Windows Jump List Parser (jmp)]. Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
 +
* [http://www.woanware.co.uk/?p=265 Woanware: JumpLister]. Tool to view the information within the numbered streams of each autodest file.
 +
* [[plaso]]
 +
* [https://github.com/EricZimmerman/JumpList JumpList]. Parser written in C# with support thru Windows 10 jump lists
 +
* [https://github.com/EricZimmerman/JLECmd JLECmd]. Command line tool using the above parser
  
{{Windows}}
+
[[Category:Windows]]

Latest revision as of 16:13, 27 December 2016

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files
  • Explorer StartPage2 ProgramsCache Registry values

AutomaticDestinations

The AutomaticDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure

The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:

  • hexadecimal numbered, e.g. "1a"
  • DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut (LNK). One could extract all the streams and analyze them individually with a LNK parser.

The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes Last modification time, contains a FILETIME structure
0x70 2 bytes Path string size, the number of characters (UTF-16 words) of the path string
0x72 ... Path string

CustomDestinations

The CustomDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Files: *.customDestinations-ms

Structure

CustomDestinations Jump List files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

See also

External Links

Tools

  • Belkasoft Evidence Center. One of functions of this tool is search (including carving) and analysis of jumplists. A wide list of applications is supported (Jump list IDs).
  • TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
  • Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.
  • plaso
  • JumpList. Parser written in C# with support thru Windows 10 jump lists
  • JLECmd. Command line tool using the above parser