ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Jump Lists" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(AppIDs)
 
(LZ1)
 
Line 1: Line 1:
{{expand}}
+
{{Expand}}
'''Jump Lists''' are a feature found in Windows 7.
+
  
== Jump Lists ==
+
== External Links ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system
+
* [http://www.coderforlife.com/ Microsoft Compression Formats]
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
=== LZ1 ===
 
+
* [http://andyh.org/LZ1.html LZ1]
 
+
=== AutomaticDestinations ===
+
Path: C:\Users\user\Recent\AutomaticDestinations<br>
+
Files: *.automaticDestinations-ms
+
 
+
'''Structure'''<br>
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
<p>
+
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
 
+
<table border="1">
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
 
+
=== CustomDestinations ===
+
Path: C:\Users\user\Recent\CustomDestinations<br>
+
Files: *.customDestinations-ms
+
 
+
'''Structure'''<br>
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
 
+
== AppIDs ==
+
[[List of Jump List IDs]]
+
<br>
+
{{Windows}}
+

Revision as of 06:09, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

LZ1