Difference between pages "Jump Lists" and "Bulk Extractor Viewer"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Structure)
 
(Created page with "{{Infobox_Software | name = Bulk Extractor Viewer | maintainer = Bruce Allen | os = {{Linux}}, {{Windows}}, {{Mac OS X}} | genre = {{Analysis}} | license = {{Public...")
 
Line 1: Line 1:
{{expand}}
+
{{Infobox_Software |
'''Jump Lists''' are a feature found in Windows 7.
+
  name = Bulk Extractor Viewer |
 +
  maintainer = [[Bruce Allen]] |
 +
  os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
 +
  genre = {{Analysis}} |
 +
  license = {{Public Domain}} |
 +
  website = [https://domex.nps.edu/deep/Bulk_Extractor.html domex.nps.edu/deep/Bulk_Extractor.html] |
 +
}}
  
== Jump Lists ==
+
'''Bulk Extractor Viewer''' ('''BEViewer''') is a User Interface for browsing features that have been extracted via the [[Bulk Extractor]] tool.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
+
'''BEViewer''' supports browsing multiple images and bookmarking and exporting features.
 
+
'''BEViewer''' also provides a UI for launching [[Bulk Extractor]] scans.
Jump Lists come in multiple flavors:
+
* automatic (autodest, or *.automaticDestinations-ms) files
+
* custom (custdest, or *.customDestinations-ms) files
+
 
+
Autodest files are created by the operating system.
+
 
+
The Jump Lists are located in the user profile path:
+
<pre>
+
C:\Users\%USERNAME%\Recent\AppData\Roaming\Microsoft\Windows\Recent\
+
</pre>
+
 
+
Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.
+
 
+
<b>Note</b>: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system.  In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
+
 
+
=== AutomaticDestinations ===
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
+
 
+
Files: *.automaticDestinations-ms
+
 
+
==== Structure ====
+
The autodest files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
+
* hexadecimal numbered, e.g. "1a"
+
* DestList
+
 
+
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut (LNK)]]. One could extract all the streams and analyze them individually with a LNK parser.
+
 
+
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
 
+
<table border="1">
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
 
+
=== CustomDestinations ===
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
+
 
+
Files: *.customDestinations-ms
+
 
+
==== Structure ====
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
 
+
== See also ==
+
* [[List of Jump List IDs]]
+
* [[OLE Compound File]]
+
* [[Windows]]
+
  
 
== External Links ==
 
== External Links ==
* [http://www.codeproject.com/Articles/36561/Windows-7-Goodies-in-C-Jump-Lists Windows 7 Goodies in C++: Jump Lists], by [[Michael Dunn]], May 19, 2009
 
* [http://mikeahrendt.blogspot.ch/2011/04/jump-lists-in-windows-7-and-possible.html Jump Lists in Windows 7 and Possible Forensic Implementations], by [[Mike Ahrendt]], April 3, 2011
 
* [http://www.alexbarnett.com/jumplistforensics.pdf The Forensic Value of the Windows 7 Jump List], by [[Alexander G Barnett]], April 18, 2011
 
* [http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public Forensic Examination of Windows 7 Jump Lists], by [[Troy Larson]], June 6, 2011
 
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], August 17, 2011
 
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis-pt-ii.html Jump List Analysis, pt II], by [[Harlan Carvey]], August 24, 2011
 
* [http://windowsir.blogspot.ch/2011/12/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], December 28, 2011
 
* [http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ Forensic Analysis of Windows 7 Jump Lists], by [[Rob Lyness]], October 2012
 
 
== Tools ==
 
* [http://tzworks.net/prototype_page.php?proto_id=20 TZWorks LLC: Windows Jump List Parser (jmp)]. Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
 
* [http://www.woanware.co.uk/?p=265 Woanware: JumpLister]. Tool to view the information within the numbered streams of each autodest file.
 
  
[[Category:Windows]]
+
* [https://domex.nps.edu/deep/Bulk_Extractor.html Official website]

Revision as of 18:35, 1 December 2011

Bulk Extractor Viewer
Maintainer: Bruce Allen
OS: Linux,Windows,Mac OS X
Genre: Analysis
License: Public Domain
Website: domex.nps.edu/deep/Bulk_Extractor.html

Bulk Extractor Viewer (BEViewer) is a User Interface for browsing features that have been extracted via the Bulk Extractor tool. BEViewer supports browsing multiple images and bookmarking and exporting features. BEViewer also provides a UI for launching Bulk Extractor scans.

External Links