Difference between pages "Upcoming events" and "Jump Lists"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
(Structure)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{expand}}
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
'''Jump Lists''' are a feature found in Windows 7.
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
== Jump Lists ==
 +
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
  
This listing is divided into four sections (described as follows):<br>
+
Jump Lists come in multiple flavors:
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
* automatic (autodest, or *.automaticDestinations-ms) files
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
* custom (custdest, or *.customDestinations-ms) files
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
Autodest files are created by the operating system.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
The Jump Lists are located in the user profile path:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
C:\Users\%USERNAME%\Recent\AppData\Roaming\Microsoft\Windows\Recent\
! Title
+
</pre>
! Due Date
+
! Website
+
|-
+
|17th USENIX Security Symposium
+
|Jan 30, 2008 (11:59 PM PST)
+
|http://www.usenix.org/sec08/cfp/
+
|-
+
|JDFSL - Special Issue on Security Issues in Online Communities
+
|Jan 31, 2008
+
|http://www.jdfsl.org/cfp-special-issue.htm
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Jan 31, 2008 (Extended deadline)
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|Black Hat Europe 2008 Briefings
+
|Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|IEEE/SADFE-2008
+
|Feb 01, 2008
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/cfp.html
+
|-
+
|Black Hat USA 2008 Briefings
+
|OPEN ON Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|3rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|Feb 01, 2008
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/cfp.html
+
|-
+
|USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08)
+
|Feb 11, 2008
+
|http://www.usenix.org/events/leet08/cfp/
+
|-
+
|2008 International Workshop on Digital Crime and Forensics in conjunction with The Fourth International Conference on Intelligent Information Hiding and Multimedia Signal Processing
+
|Feb 15, 2008
+
|http://www.dcs.warwick.ac.uk/~ctli/CFP_IWDCF2008.html
+
|-
+
|Cyber Security and Information Intelligence Research Workshop (CSIIRW-08)
+
|Mar 03, 2008
+
|http://www.ioc.ornl.gov/csiirw/
+
|-
+
|LayerOne 2008 Information Technology Conference
+
|Mar 15, 2008
+
|http://layerone.info/
+
|-
+
|International Journal on Digital Crime and Forensics (Inaugural Issue)
+
|Mar 15, 2008
+
|http://www.dcs.warwick.ac.uk/~ctli/IJDCF_Submission_Guidelines.html
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2008
+
|Mar 17, 2008
+
|http://www.dfrws.org/2008/cfp.shtml
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Apr 04, 2008
+
|http://www.ll.mit.edu/IST/RAID2008/index.html
+
|-
+
|Black Hat Japan 2008 Briefings
+
|OPEN ON May 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|4th International Conference on IT Incident Management & IT Forensics
+
|Jun 01, 2008
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2008/cfp_en.html
+
|-
+
|}
+
  
== Conferences ==
+
Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 27-30, Kyoto, Japan
+
|http://www.ifip119-kyoto.org/doku.php
+
|-
+
|ShmooCon
+
|Feb 15-17, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|Blackhat DC 2008 Briefings & Training
+
|Feb 18-21, Washington, DC
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|International Workshop on Digital Forensics (WSDF’08) in Conjunction with ARES 2008
+
|Mar 04–07, Polytechnic University of Catalonia, Barcelona, Spain
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=45
+
|-
+
|InfoSec World Conference
+
|Mar 10-12, Orlando, FL
+
|http://www.misti.com/default.asp?page=65&Return=70&ProductID=5539
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|Blackhat Europe 2008 Briefings & Training
+
|Mar 25-28, Amsterdam, Netherlands
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|RSA Conference 2008
+
|Apr 07-11, San Francisco, CA
+
|http://www.rsaconference.com/2008/US/Home.aspx
+
|-
+
|2008 National OPSEC Conference
+
|Apr 07-11, Denver, CO
+
|http://www.nsa.gov/ia/events/conferences/index.cfm?ConferenceID=53
+
|-
+
|USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) Botnets, Spyware, Worms, and More
+
|Apr 15, San Francisco, CA
+
|http://www.usenix.org/events/leet08/index.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Apr 23-25, Oklahoma City, OK
+
|http://www.digitalforensics-conference.org
+
|-
+
|CEIC 2008 Computer & Enterprise Investigations Conference
+
|Apr 27-30, Las Vegas, NV
+
|http://www.ceicconference.com/
+
|-
+
|Microsoft Law Enforcement Tech Conference 2008
+
|Apr 28-30, Redmond, Washington
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|May 06-08, San Francisco, CA
+
|http://htciatraining.org/general_info.asp
+
|-
+
|Fourth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW-08)
+
|May 12-14, Oak Ridge, TN
+
|http://www.ioc.ornl.gov/csiirw
+
|-
+
|LayerOne 2008 Information Technology Conference
+
|May 17-18, Los Angeles, CA
+
|http://layerone.info
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|3rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22, Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|Gartner IT Security Summit
+
|Jun 02-04, Washington, DC
+
|http://www.gartner.com/it/page.jsp?id=507478&tab=overview
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jun 03-06, Columbia University, New York City, NY
+
|http://acns2008.cs.columbia.edu/
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|17th USENIX Security Symposium
+
|Jul 28-Aug 01, San Jose, CA
+
|http://www.usenix.org/events/sec08/
+
|-
+
|Blackhat USA 2008 Briefings & Training
+
|Aug 02-07, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|Defcon 16
+
|Aug 08-10, Las Vegas, NV
+
|http://www.defcon.org
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
|-
+
|International Workshop on Digital Crime and Forensics in conjunction w/4th International Conference on Intelligent Information Hiding and Multimedia Signal Processing
+
|Aug 15-17, Harbin, China
+
|http://www.dcs.warwick.ac.uk/~ctli/CFP_IWDCF2008.html
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Sep 15-17, Cambridge, MA
+
|http://www.ll.mit.edu/IST/RAID2008/
+
|-
+
|2008 HTCIA International Training Conference
+
|Oct 22-28, Atlantic City, NJ
+
|http://www.htcia.org/conference.shtml
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
<b>Note</b>: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system.  In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== AutomaticDestinations ===
! Title
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
! Date/Location or Venue
+
 
! Website
+
Files: *.automaticDestinations-ms
|-
+
 
|Basic Computer Examiner Course - Computer Forensic Training Online
+
==== Structure ====
|Distance Learning Format
+
The autodest files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
|http://www.cftco.com
+
* hexadecimal numbered, e.g. "1a"
|-
+
* DestList
|Linux Data Forensics Training
+
 
|Distance Learning Format
+
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut]]. One could extract all the streams and analyze them with a LNK parser.
|http://www.crazytrain.com/training.html
+
 
|-
+
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
|SANS On-Demand Training
+
 
|Distance Learning Format
+
<table border="1">
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
|-
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
|MaresWare Suite Training
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
|First full week every month, Atlanta, GA
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
|http://www.maresware.com/maresware/training/maresware.htm
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
|-
+
</table>
|Evidence Recovery for Windows Vista&trade;
+
 
|First full week every month, Brunswick, GA
+
=== CustomDestinations ===
|http://www.internetcrimes.net
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
|-
+
 
|Evidence Recovery for Windows Server&reg; 2003 R2
+
Files: *.customDestinations-ms
|Second full week every month, Brunswick, GA
+
 
|http://www.internetcrimes.net
+
==== Structure ====
|-
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
|Evidence Recovery for the Windows XP&trade; operating system
+
 
|Third full week every month, Brunswick, GA
+
== See also ==
|http://www.internetcrimes.net
+
* [[List of Jump List IDs]]
|-
+
* [[OLE Compound File]]
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
* [[Windows]]
|Third weekend of every month (Fri-Mon), Dallas, TX
+
 
|http://www.md5group.com
+
== External Links ==
|-
+
* [http://www.codeproject.com/Articles/36561/Windows-7-Goodies-in-C-Jump-Lists Windows 7 Goodies in C++: Jump Lists], by [[Michael Dunn]], May 19, 2009
|}
+
* [http://www.alexbarnett.com/jumplistforensics.pdf The Forensic Value of the Windows 7 Jump List], by [[Alexander G Barnett]], April 18, 2011
==[[Scheduled Training Courses]]==
+
* [http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public Forensic Examination of Windows 7 Jump Lists], by [[Troy Larson]], June 6, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], August 17, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis-pt-ii.html Jump List Analysis, pt II], by [[Harlan Carvey]], August 24, 2011
 +
* [http://windowsir.blogspot.ch/2011/12/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], December 28, 2011
 +
* [http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ Forensic Analysis of Windows 7 Jump Lists], by [[Rob Lyness]], October 2012
 +
 
 +
== Tools ==
 +
* [http://www.woanware.co.uk/?p=265 Woanware: JumpLister]. Tool to view the information within the numbered streams of each autodest file.
 +
* [http://tzworks.net/prototype_page.php?proto_id=20 TZWorks LLC: Windows Jump List Parser (jmp)]. Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
 +
 
 +
[[Category:Windows]]

Revision as of 09:22, 10 February 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Contents

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files

Autodest files are created by the operating system.

The Jump Lists are located in the user profile path:

C:\Users\%USERNAME%\Recent\AppData\Roaming\Microsoft\Windows\Recent\

Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.

Note: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., CyberSpeak podcasts) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.

AutomaticDestinations

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure

The autodest files are OLE Compound Files containing multiple streams of which:

  • hexadecimal numbered, e.g. "1a"
  • DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut. One could extract all the streams and analyze them with a LNK parser.

The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Files: *.customDestinations-ms

Structure

Custdest files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

See also

External Links

Tools

  • Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.
  • TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.