Difference between pages "Yahoo! Mail Header Format" and "Jump Lists"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
The '''Yahoo! Web Mail''' header format has changed over time, but currently includes the [[IP addresses in webmail messages|sender's IP address]], a domain key signature, and some other helpful information.
+
{{expand}}
 +
'''Jump Lists''' are a feature found in Windows 7.
  
DomainKey-Signature
+
== Jump Lists ==
<pre>
+
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
+
  s=s1024; d=yahoo.com;
+
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
+
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
+
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;
+
</pre>
+
  
Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.
+
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
  
Mail Header
+
''Author's Note'': Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.
<pre>
+
Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
+
X-Mailer: YahooMailWebService/0.7.260.1
+
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
+
From: Sender Name <sender@yahoo.com>
+
Reply-To: sender@yahoo.com
+
Subject: Test Message
+
To: recipient@domain.com
+
MIME-Version: 1.0
+
Content-Type: text/plain; charset=us-ascii
+
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>
+
</pre>
+
  
 +
=== AutomaticDestinations ===
 +
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations<br>
 +
Files: *.automaticDestinations-ms
  
== Message IDs ==
+
'''Structure'''<br>
The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
 +
<p>
 +
'''Tools'''<br>
 +
Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted. Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].<br><br>
  
Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):
+
Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
<pre>Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com></pre>
+
<br><br>
 +
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
  
Sent via Yahoo Webmail from Chrome:
+
<table border="1">
<pre>Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com></pre>
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</table>
  
Sent via Android browser on via mobile webmail interface:
+
=== CustomDestinations ===
<pre>Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com></pre>
+
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br>
 +
Files: *.customDestinations-ms
  
Sent via Android email application configured for SMTP (jelly bean):
+
'''Structure'''<br>
<pre>Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com></pre>
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
  
Sent via iPod (IOS 5.0.1)
+
== AppIDs ==
<pre>Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com></pre>
+
[[List of Jump List IDs]]
 
+
<br>
[[Category:Email Analysis]]
+
{{Windows}}

Revision as of 08:15, 28 December 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Contents

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.

Author's Note: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., CyberSpeak podcasts) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.

AutomaticDestinations

Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Files: *.automaticDestinations-ms

Structure
The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

Tools
Autodest files can be opened in tools such as the MiTec Structured Storage Viewer, and each of the streams individually/manually extracted. Each of the extracted numbered streams can then be viewed via the Windows File Analyzer.

Another approach would be to use Mark Woan's JumpLister tool to view the information within the numbered streams of each autodest file.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure
Custdest files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

AppIDs

List of Jump List IDs


Windows