Forensic Artefacts from Windows 7 Jump Lists

Rob Lyness

• Presentation based primarily on experimentation conducted and recorded in MSc project

• Updated with observations and findings from current investigations

What is a Jump List?

“take you right to the documents, pictures, songs, or websites you turn to each day”

http://windows.microsoft.com/en-US/windows7/products/features/jump-lists

What is a Jump List?• Analogous to ‘Recent Items’ sub menu– No longer presented by default, but can be re-

activated

• Collection of shortcuts

• Application and user specific

User Experience• Enabled by default

– Last 10 files Can be amended to list last 60 Links to individual files can be pinned to the Start Menu or Jump List

– Last 10 programs Can be amended to list last 30 Links to individual programs can be pinned to the Start Menu and

Taskbar.

Location of Jump List data (1)• Windows Registry

– Configuration settings for the Jump List feature Number of items to display on list Number of items to display on Start Menu Whether the feature is switched on or off Items that have been pinned to the Taskbar

Entry removed if item removed from Taskbar, including uninstallation of program.

• Folder Structure– Storage of Jump List files– Items that have been pinned to the Taskbar or Start Menu

Link files Deleted if item unpinned May be visible with forensic software

Location of Jump List data (2)

• ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced– Start_JumpListItems (Items to display on Jump List. Max 60)

– Start_MinMFU (Items to display on Start Menu. Max 30)

– Start_TrackDocs (0 = Jump Lists off. 1 = Jump Lists on)

• Only present if default values changed

Location of Jump List data (3)• %systemdrive%\Users\%username%\AppData\Roaming\

Microsoft\Internet Explorer\Quick Launch\User Pinned\

Taskbar Created at first login

Contains 3 shortcut (link) files (Internet Explorer, Windows Explorer, Windows Media Player)

Further link files added as further items pinned

StartMenu Created when first item pinned to Start Menu

Location of Jump List data (4)• %systemdrive%\Users\%username%\AppData\Roaming\

Microsoft\Windows\Recent\CustomDestinations– Naming convention for files is 16 hexadecimal digits (known as the

AppID) followed by ‘.customDestinations-ms’(i.e. 5d696d521de238c3.customDestinations-ms) Records maintained in link file format

• Relate to applications as opposed to files

• No focus in this presentation or the original project

AppID• Can be set by application and notified to the system at runtime

– If not notified by application, system will generate automatically

• Same application with same run switches will generate same AppID on any Windows 7 machine

• Based on CompanyName.ProductName.SubProduct.VersionInformation– Testing showed that the file path of the executable is also taken into

consideration

• Appears to be some kind of hash, although the type is not known

• List maintained at www.forensicswiki.org/wiki/List_of_Jump_List_IDs

Location of Jump List data (6)• %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\

AutomaticDestinations– Similar naming convention to that used by custom destinations (i.e. 5d696d521de238c3.automaticDestinations-

ms)

• Main focus of research

• Compound Binary Files– Thumbs.db

– Microsoft Office

• At first login contains only one Jump List file– Windows Explorer

4 entries relating to each of the ‘Libraries’; Documents, Music, Pictures and Videos

• As files are accessed further Jump Lists are generated and stored within the ‘AutomaticDestinations’ directory– Not all applications generate Jump Lists, i.e. Windows Photo Viewer

Location of Jump List data (7)• AutomaticDestinations and CustomDestinations

directories:– Obfuscated by the Operating System and not normally visible

through Windows Explorer

– Do not have the ‘Hidden’ attribute set– Can be accessed via Command Prompt or by entering the full

path into the address bar

Recent Items.lnk AutomaticDestinations.lnk

• Jump List files can be deleted by:– Switching the feature off

All link files in ‘Recent’ directory removed May not be visible within forensic software

If pinned items present all other entries removed If no pinned items present entire Compound Binary file removed

May not be visible within forensic software

– Manually deleting each entry in a Jump List Link files in ‘Recent’ directory unaffected Pinned items must be unpinned before they can be removed Removal of all entries results in entire Compound Binary file being removed

May not be visible within forensic software

Deleting Records (1)

– Navigating through Windows Explorer and manually deleting Requires knowledge of location and specific access method

AutomaticDestinations directory unaffected

All deleted files were visible within forensic software

Link files in ‘Recent’ directory unaffected

– Command Prompt Link files in ‘Recent’ directory unaffected

Compound Binary file deleted irrespective of pinned status of any entry May not be visible in forensic software

Deleting Records (2)

Deconstructing a Jump List• Individual elements are named with a hexadecimal numeric value

– Not re-used

– Deleted entry numbers identifiable

• Most of these elements store data in the structured format of a shortcut (link) file

• One further element named ‘DestList’– Structured, but not in the shortcut format

– Controls the presentation of entries to the user

– Byte sequences read Little Endian

Complete ‘DestList’ from Notepad Jump List

DestList Header

7 individual entries

DestList Header (1)First Entry ID issued

Total items in current

list

No. of pinned entries

Counter

Last Entry ID issued

No. of Add/Delete

actions

DestList Header (2)• First Entry ID issued (4 bytes)

– Appears to always be 1

• Total Items in current list (4 bytes)– Increments and decrements as entries added to and removed from

list– Hexadecimal value

• Number of pinned entries (4 bytes)– Records total number of entries in the list that are currently pinned– Hexadecimal value

DestList Header (3)• Counter (4 bytes)

– Purpose not currently known– Also increments and decrements as entries added to or removed from list– Appears to be floating point binary number– Does not always decode to a whole number

• Last Entry ID issued (8 bytes)– Record of last hexadecimal value Entry ID used– 8 bytes seems excessive

Potential for another, as yet unknown, artefact

DestList Header (4)• Number of Add/Delete actions (8 bytes)– Increments as entries are added to the list– Increments as entries are removed from the list– 8 bytes again

Before deletion – 2 entries in list

After deletion – 1 entry in list

Checksum New Vol ID New Obj ID Birth Vol ID Birth Obj ID

NetBIOS Name

Entry IDAccess Count

Last Accessed Date

Pin status/count

No. Unicode characters in path

DestList Entry (1)

DestList Entry (2)• Checksum (8 bytes)– Purpose not currently known– Algorithm used not known– Limited testing shows it relates to all entry data from the

first byte of the checksum to the last byte before the target file path

• Data Tracker Block (64 bytes)– As found in link files

DestList Entry (3)• NetBIOS name (16 bytes)

– Relates to the computer on which the target file is stored– May reveal names of network shares

DestList Entry (4)• Entry ID (8 bytes)

– Reason for this size not known

• Access Count (4 bytes)– Not always reliable

Same as counter in DestList Header - sometimes decodes as a partial number Unable to replicate behaviour or identify reason

– Updates on each access

• Last Accessed Date (8 bytes)– FILETIME Object– Repeated access of same target requires at least 30 seconds between accesses– Serial accesses of different files has no such restriction– Updates on each access

DestList Entry (5)• Pinned Status (4 bytes)

– Offset 108 – 111 of an entry records its pin status 0xFF 0xFF 0xFF 0xFF indicates an unpinned entry

Each pinned entry is assigned a value starting at 0x00 0x00 0x00 0x00

DestList Entry (6)• Number of Unicode characters in file path (2 bytes)

• Target file path– Normally with drive letter assignments– May be recorded as UNC if access to hidden network share

Order of Access (1)• On screen display split into two areas:

– Recent area Oldest at bottom Most recent at top DestList re-written as accesses to target files continues

– Pinned area Oldest at top Most recent at bottom Pinned entries become static in DestList

Order of Access (2)• No such differentiation in DestList

Recorded File Accesses (1)• Windows Explorer– Link Files

• Application Toolbars• Jump List entries

Recorded File Accesses (2)• Navigation through Windows Explorer

– Investigated the various options available through left and right mouse clicks including the additional options presented by the Shift key

Recorded File Accesses (3)• Application Toolbars

Recorded File Accesses (4)• Jump List entry

Recorded File Accesses (5)• Only actions that result in the content of the file being displayed to the

user, either on screen or hard copy constitute an access.

• No difference was identified in the way that accesses are recorded

• Command Prompt did not result in any updates to the Jump Lists– Limited testing; Notepad and Paint– Other applications may produce different results

Microsoft Word 2007/2010 entries do update

Rename, move and delete target filesSerial Action Result Remarks

1 Cut and Paste to new ‘Fixed’ NTFS volume Opened. File path amended to new location.

2 Cut and Paste to NTFS ‘Removable’ drive ‘Yes’ removes the entry from the list. ‘No’ leaves it in the list.

3 Cut and Paste on same ‘Fixed’ NTFS volume

Opened. File path amended to new location.

4 Right Mouse click > Delete

‘Restore’ returns the file to original location, but does not open it. ‘Delete’ removes entry from list but leaves the file intact in the Recycle Bin

5 Right Mouse click > Delete > Delete from Recycle Bin As Serial 2 result.

6 Shift key + Delete key As Serial 2 result. 7 Rename Opened. File path amended to new name.

Peculiarities Experienced• Not all applications use all of the available

fields all of the time

Peculiarities Experienced• Different behaviour with Windows Media Player

– 2 entries Both relate to same file accessed at the same time

• First time seen– Normally hexadecimal value only is recorded as file path

Peculiarities ExperiencedWindows Media Player – entry with hexadecimal value as file path.

Element points to program with embedded command switches

Windows Media Player – entry with full file path.Element more like a ‘standard’ link file

Unallocated Clusters• Potential to recover deleted entries• Not tested, but likely to be re-used quickly

Limitations• Possibility of automated process pinning items to Jump List

• 30 seconds required between repeated access to target files

• Access count only tested with Notepad and Paint

– Other programs may behave differently

• No reason identified for the use of floating point integers

• Purpose and type of hash/checksum in each entry not known

Future Work• CustomDestinations

• Unallocated Space of hard disk drive

• Further development of extraction program

Summary (1)• Configuration settings can be retrieved from the Windows Registry

– ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems Number of items to display on Jump List

Default value of 10 Maximum value of 60

– ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Start_TrackDocs

Status of feature Switched on by default If present the feature has been turned off at some point (0 = Jump Lists off. 1 = Jump Lists on)

• Only present if default values\state changed

Summary (2)• Jump List data stored in Compound Binary files at %systemdrive%\Users\

%username%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations– Can be shortened to %AppData%\Microsoft\Windows\Recent\

AutomaticDestinations• Not all applications use Jump List to record file accesses• Most entries in Compound Binary files are named with a hexadecimal

numeric value– Structured as link files

• DestList records the order of access– Structured as discussed

• Artefacts recoverable:– Header

• ID of first entry• Number of items currently present in the Jump List• Number of Pinned entries• Last assigned Entry ID• Total number of entries that have been added or deleted• A counter is also present, although its purpose is not known

Summary (3)

– Individual Entry• ‘FileLocation’ data as found in shortcut files• NetBIOS name of computer where target stored• Date/time (GMT) of last access• Pinned status of the entry• Pinned order• How often a file has been accessed• Full path to target file

Summary (4)

Summary (5)• Based upon the experimentation conducted, the complete structure of

the DestList element was determined

Forensic Significance• Analysis of Jump Lists could be used to show:

• Which files have been accessed

• The order in which they were first and last accessed

• How often a file has been accessed

• Which items have been pinned to a Jump List and the order in which they were pinned

Further Information

• Article posted on ForensicFocus website– http

://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/

• More detail of methodology

Questions?