Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(Structure)
 
(37 intermediate revisions by 3 users not shown)
Line 3: Line 3:
  
 
== Jump Lists ==
 
== Jump Lists ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
+
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
Jump Lists come in multiple flavors:
 +
* automatic (autodest, or *.automaticDestinations-ms) files
 +
* custom (custdest, or *.customDestinations-ms) files
  
 +
Autodest files are created by the operating system.
 +
 +
The Jump Lists are located in the user profile path:
 +
<pre>
 +
C:\Users\%USERNAME%\Recent\AppData\Roaming\Microsoft\Windows\Recent\
 +
</pre>
 +
 +
Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.
 +
 +
<b>Note</b>: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system.  In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
  
 
=== AutomaticDestinations ===
 
=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Files: *.automaticDestinations
+
  
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. 
+
Files: *.automaticDestinations-ms
  
 +
==== Structure ====
 +
The autodest files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
 +
* hexadecimal numbered, e.g. "1a"
 +
* DestList
  
=== CustomDestinations ===
+
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut (LNK)]]. One could extract all the streams and analyze them individually with a LNK parser.
Path: C:\Users\user\Recent\CustomDestinations
+
Files: *.customDestinations
+
  
Structure
+
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
 +
 
 +
<table border="1">
 +
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</table>
 +
 
 +
=== CustomDestinations ===
 +
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
  
 +
Files: *.customDestinations-ms
  
 +
==== Structure ====
 +
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
  
[[List of Jump List IDs]]
+
== See also ==
17d3eb086439f0d7 TrueCrypt 7.0a
+
* [[List of Jump List IDs]]
adecfb853d77462a MSWord 2007
+
* [[OLE Compound File]]
c71ef2c372d322d7 PGP Desktop 10
+
* [[Windows]]
cdf30b95c55fd785 MSExcel 2007
+
f5ac5390b9115fdb MSPowerPoint 2007
+
  
12dc1ea8e34b5a6 MSPaint 6.1
+
== External Links ==
431a5b43435cc60b Python (.pyc)
+
* [http://www.codeproject.com/Articles/36561/Windows-7-Goodies-in-C-Jump-Lists Windows 7 Goodies in C++: Jump Lists], by [[Michael Dunn]], May 19, 2009
469e4a7982cea4d4 ? (.job)
+
* [http://mikeahrendt.blogspot.ch/2011/04/jump-lists-in-windows-7-and-possible.html Jump Lists in Windows 7 and Possible Forensic Implementations], by [[Mike Ahrendt]], April 3, 2011
500b8c1d5302fc9c (.pyw)
+
* [http://www.alexbarnett.com/jumplistforensics.pdf The Forensic Value of the Windows 7 Jump List], by [[Alexander G Barnett]], April 18, 2011
50620fe75ee0093 VMWare Player 3.1.4
+
* [http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public Forensic Examination of Windows 7 Jump Lists], by [[Troy Larson]], June 6, 2011
65009083bfa6a094 (app launched via XPMode)
+
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], August 17, 2011
7e4dca80246863e3 Control Panel (?)
+
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis-pt-ii.html Jump List Analysis, pt II], by [[Harlan Carvey]], August 24, 2011
83b03b46dcd30a0e iTunes 10
+
* [http://windowsir.blogspot.ch/2011/12/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], December 28, 2011
b0459de4674aab56 (.vmcx)
+
* [http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ Forensic Analysis of Windows 7 Jump Lists], by [[Rob Lyness]], October 2012
  
 +
== Tools ==
 +
* [http://tzworks.net/prototype_page.php?proto_id=20 TZWorks LLC: Windows Jump List Parser (jmp)]. Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
 +
* [http://www.woanware.co.uk/?p=265 Woanware: JumpLister]. Tool to view the information within the numbered streams of each autodest file.
  
{{Windows}}
+
[[Category:Windows]]

Latest revision as of 02:25, 12 February 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files

Autodest files are created by the operating system.

The Jump Lists are located in the user profile path:

C:\Users\%USERNAME%\Recent\AppData\Roaming\Microsoft\Windows\Recent\

Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.

Note: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., CyberSpeak podcasts) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.

AutomaticDestinations

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure

The autodest files are OLE Compound Files containing multiple streams of which:

  • hexadecimal numbered, e.g. "1a"
  • DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut (LNK). One could extract all the streams and analyze them individually with a LNK parser.

The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Files: *.customDestinations-ms

Structure

Custdest files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

See also

External Links

Tools

  • TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
  • Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.