Difference between pages "Jump Lists" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(LZ1)
 
Line 1: Line 1:
{{expand}}
+
{{Expand}}
'''Jump Lists''' are a feature found in Windows 7.
+
  
== Jump Lists ==
+
== External Links ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.  Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system
+
* [http://www.coderforlife.com/ Microsoft Compression Formats]
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
=== LZ1 ===
 
+
* [http://andyh.org/LZ1.html LZ1]
 
+
=== AutomaticDestinations ===
+
Path: C:\Users\user\Recent\AutomaticDestinations<br>
+
Files: *.automaticDestinations-ms
+
 
+
'''Structure'''<br>
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
+
<p>
+
'''Tools'''<br>
+
Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted.  Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].<p>
+
Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
+
<p>
+
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
 
+
<table border="1">
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
 
+
=== CustomDestinations ===
+
Path: C:\Users\user\Recent\CustomDestinations<br>
+
Files: *.customDestinations-ms
+
 
+
'''Structure'''<br>
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
 
+
== AppIDs ==
+
[[List of Jump List IDs]]
+
<br>
+
{{Windows}}
+

Revision as of 01:09, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

LZ1