Difference between pages "Jump Lists" and "Linux Repositories"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(AutomaticDestinations)
 
(File Inventory Tools)
 
Line 1: Line 1:
{{expand}}
 
'''Jump Lists''' are a feature found in Windows 7.
 
  
== Jump Lists ==
+
There are a number of linux distributions.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files.  Autodest files are created by the operating system
+
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.
  
''Author's Note'': Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
+
=Repository Setup=
 +
==openSUSE==
 +
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:
  
=== AutomaticDestinations ===
+
*security
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations<br>
+
*devel:languages:perl
Files: *.automaticDestinations-ms
+
*devel:languages:python
  
==== Structure ====
+
This is most easily done from the command line via (assumes openSUSE 12.1):
The autodest files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
+
* DestList
+
* hexadecimal numbered, e.g. "1a"
+
  
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut]].
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/security/openSUSE_12.1</nowiki> security
 +
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/perl</nowiki>/openSUSE_12.1 perl
 +
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1</nowiki> python
 +
 +
zypper lr  <nowiki>          </nowiki>  # used to verify you have the repos installed
  
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
==fedora==
  
<table border="1">
+
[http://www.cert.org/forensics/tools/ CERT] maintains a fedora security repository with a large number of DFIR applicaitons.
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
  
=== CustomDestinations ===
+
==debian==
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br>
+
Files: *.customDestinations-ms
+
  
'''Structure'''<br>
+
You can search for debian packages at [http://packages.debian.org/search debian's search page]
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
  
=== Tools ===
+
==ubuntu==
* Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted.  Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].
+
* Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
+
* TZWorks LLC [http://tzworks.net/prototype_page.php?proto_id=20 Jump List Parser (jmp)] also has a tool that can parse both the custom and automatic Destinations type files.  For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
+
  
== See also ==
+
=Computer Forensic Tools=
* [[List of Jump List IDs]]
+
Below is a list of computer forensic tools.  For each tool the repository it can be found in and the version in the repository is shown.
* [[OLE Compound File]]
+
* [[Windows]]
+
  
== External Links ==
+
As an example, aimage is in the openSUSE security repository and it is version 3.2.5
  
[[Category:Windows]]
+
==Imaging Tools==
 +
 
 +
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
 +
|-
 +
|rowspan=1| '''Tool'''
 +
|'''openSUSE'''
 +
|'''fedora'''
 +
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
 +
 
 +
|-
 +
|rowspan=1| [http://www.e-fense.com/helix/ adepto]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|adepto is included in the helix boot cd<!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[aimage]]
 +
|security/3.2.5 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/3.2.4  <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|aimage has been EOL'ed.  guymager or ftkimager (windows/mac) are recommended for creating aff images. <!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[AIR]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Automated Image and Restore  <!-- comment -->
 +
|a GUI front-end to dd and dc3dd designed for easily creating forensic bit images <!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[dc3dd]]
 +
|security*/7.1.614 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|sid/7.1.614    <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|DoD Cyber Crime Center DD  <!-- comment -->
 +
|This tool was formerly known as dcfldd.  When released as dc3dd it was totally rewritten. <!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[ddrescue]]
 +
|Base/1.14 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/1.14 sid/1.23 <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Also known as GNU ddrescue<!-- comment -->
 +
|This tool is different than dd_rescue.
 +
 
 +
|-
 +
|rowspan=1| [[dd_rescue]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|<!-- comment -->
 +
|This tool is different than GNU ddrescue.
 +
 
 +
|-
 +
|rowspan=1| [[libewf|ewfacquire]]
 +
|security*/20100226 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/20100226              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create ewf format images  <!-- comment -->
 +
|ewfacquire is part of ewftools in some distributions.<!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[IXimager]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|A law enforcement only imager<!-- comment -->
 +
|used in conjunction with ILook Investigator
 +
 
 +
|-
 +
|rowspan=1| [[LinEn]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a proprietary imaging tool to create ewf format images  <!-- comment -->
 +
|included on the Helix boot CD<!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [[guymager]]
 +
|N/A<!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|Squeeze/0.4.2 Sid/0.5.9-3              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|Guymager is an open source forensic imager. It focuses on user friendliness and high speed.  <!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [http://sourceforge.net/projects/rdd rdd]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool, with forensic imaging features  <!-- comment -->
 +
|Rdd is robust with respect to read errors<!-- General Remarks -->
 +
 
 +
|-
 +
|rowspan=1| [ftp://ftp.berlios.de/pub/sdd/ sdd]
 +
|Archiving:Backup/1.52 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|?              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool<!-- comment -->
 +
|Designed to work well when IBS != OBS.  Working with tape is an example.<!-- General Remarks -->
 +
 
 +
|}
 +
 
 +
*package will appear in the base release with the next full distribution release.
 +
 
 +
==File Inventory Tools==
 +
 
 +
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
 +
|-
 +
|rowspan=1| '''Tool'''
 +
|'''openSUSE'''
 +
|'''fedora'''
 +
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
 +
 
 +
|-
 +
|rowspan=1| [[exiftool]]
 +
|base/v8.65 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/v8.15 sid/v8.60              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|exiftool has superior metadata reporting capability -->
 +
 
 +
|-
 +
|rowspan=1| [[fiwalk]]
 +
|security*/v0.6.15 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|fiwalk is a robust $MFT walker<!-- General Remarks -->
 +
 
 +
 
 +
|}
 +
 
 +
*package will appear in the base release with the next full distribution release.

Revision as of 19:19, 5 March 2012

There are a number of linux distributions.

In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.

Contents

Repository Setup

openSUSE

For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:

  • security
  • devel:languages:perl
  • devel:languages:python

This is most easily done from the command line via (assumes openSUSE 12.1):

sudo zypper ar -f http://download.opensuse.org/repositories/security/openSUSE_12.1 security
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_12.1 perl
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1 python

zypper lr               # used to verify you have the repos installed

fedora

CERT maintains a fedora security repository with a large number of DFIR applicaitons.

debian

You can search for debian packages at debian's search page

ubuntu

Computer Forensic Tools

Below is a list of computer forensic tools. For each tool the repository it can be found in and the version in the repository is shown.

As an example, aimage is in the openSUSE security repository and it is version 3.2.5

Imaging Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
adepto N/A ? N/A ? adepto is included in the helix boot cd
aimage security/3.2.5 ? squeeze/3.2.4 ? a imaging tool to create aff format images aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images.
AIR N/A ? ? ? Automated Image and Restore a GUI front-end to dd and dc3dd designed for easily creating forensic bit images
dc3dd security*/7.1.614 ? sid/7.1.614 ? DoD Cyber Crime Center DD This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten.
ddrescue Base/1.14 ? squeeze/1.14 sid/1.23 ? Also known as GNU ddrescue This tool is different than dd_rescue.
dd_rescue N/A ? ? ? This tool is different than GNU ddrescue.
ewfacquire security*/20100226 ? squeeze/20100226 ? a imaging tool to create ewf format images ewfacquire is part of ewftools in some distributions.
IXimager N/A ? ? ? A law enforcement only imager used in conjunction with ILook Investigator
LinEn N/A ? ? ? a proprietary imaging tool to create ewf format images included on the Helix boot CD
guymager N/A ? Squeeze/0.4.2 Sid/0.5.9-3 ? a imaging tool to create aff format images Guymager is an open source forensic imager. It focuses on user friendliness and high speed.
rdd N/A ? ? ? a dd-like tool, with forensic imaging features Rdd is robust with respect to read errors
sdd Archiving:Backup/1.52 ? ? ? a dd-like tool Designed to work well when IBS != OBS. Working with tape is an example.
  • package will appear in the base release with the next full distribution release.

File Inventory Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
exiftool base/v8.65 ? squeeze/v8.15 sid/v8.60 ? exiftool has superior metadata reporting capability -->
fiwalk security*/v0.6.15 ? N/A ? fiwalk is a robust $MFT walker


  • package will appear in the base release with the next full distribution release.