32
Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R 3 – Research|Readiness|Response
| Date post: | 22-Jan-2015 |
| Category: |
Technology |
| Upload: | ctin |
| View: | 5,983 times |
| Download: | 3 times |
Forensic Examination of Windows 7 Jump Lists
Troy LarsonPrincipal Forensics Program ManagerTWC Network Security InvestigationsNSINV-R3– Research|Readiness|Response
Windows 7 Jump Lists• . . . users should be able to “jump” directly to those things they want to work with and start working with
them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.”
• . . . think of Jump Lists as your own mini Start Menu for your application.
http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
What?
Windows 7 Jump ListsRamifications for forensic investigations:
– History of items opened or modified by a particular application.• Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts.• But not based on shortcut (.LNK) files or registry stores.
– Distinctive features:• Lists of MRU or MFU items organized by application.• List can retain several hundred items.• Items may remain on a list after their target is deleted from the volume.• Although items can be deleted from the lists, deletions can be detected.• Only a few items shown for any list; list can have hundreds more items than are shown.
Why?
Windows 7 Jump ListsJump Lists are likely to be worth investigating in detail, when:
– A user’s historic activity is at issue.• What files, SharePoint sites, or Web pages have been opened or accessed.
– There is a concern that data files have been deleted or moved.– To show knowledge or intent.– Search term hits occur within Jump List files.
When?
Windows 7 Jump Lists
Destinations(“nouns”)
Tasks(“verbs”)
Known categories
Custom categories
User Tasks
Taskbar Tasks
Pinned category
Windows 7 Jump Lists
Destinations(“nouns”)
Tasks(“verbs”)
Known categories
Custom categories
User Tasks
Taskbar Tasks
Pinned category
User tasks and destinations are forms of links.
Windows 7 Jump Lists
Jump List content is derived from two data files.– “Destination” files.
• [AppID]automaticDestinations-ms• [AppID]customDestinations-ms
Windows 7 Jump Lists• Automatic Destinations:
– List of “destinations.”– Automatically populated by the system.– Based on calls to SHAddToRecentDocs.
• Collects information about data file usage.• Records information in the Recent Items folder, and the “using” application’s automatic destination
file.• Sorted by recency (MRU) or frequency (MFU).
C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
• Custom Destinations:– List of “destinations.”– Content maintained by the application.
• Custom categories.• Tasks specific to the application.
– Specified by the application using the ICustomDestinationList API.C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Windows 7 Jump ListsWindows 7: Recent folder.
– AutomaticDestinations folder.– CustomDestinations folder.– Shortcut (.lnk) files.
Windows 7 Jump Lists
Windows 7 Jump Lists
Windows 7 Jump ListsNote:
– More automatic destination files.– Matched pairs share the same AppID– Custom destinations have temporary files.
And so on.
Windows 7 Jump Lists
• AppID is based on the process name or can be specified by the application.– Different command arguments for the same
application may result in different AppIDs.• Applications can have more than one AppID.
– The same process (with same command argument) should have the same AppID across systems.• AppID can be used to identify the application owning a
destination file.• Permits the investigator to selectively investigate destination
files.
Windows 7 Jump Lists
AppID Application1b4dd67f29cb1962 Explorer (task bar folder icon)1bc392b8e104a00e Remote Desktop23646679aaccfae0 Adobe Reader 9 x64271e609288e1210a Access 2010 x8628c8b86deab549a1 Internet Explorer x86290532160612e071 WinRar x642b53c4ddf69195fc Zune x643094cdb43bf5e9c2 OneNote 2010 x865da8f997fd5f9428 Internet Explorer x6474d7f43c1561fc1e Windows Media Player9839aec31243a928 Excel 2010 x869b9cdc69c1c24e2b Notepad x649c7cc110ff56d1bd PowerPoint 2010 x86a7bd71699cd38d1c Word 2010 x86b8c29862d9f95832 InfoPath 2010 x86b91050d8b077a4e8 Windows Media Center x64be71009ff8bb02a2 Outlook x86d64d36b238c843a3 InfoPath 2010 x86e36bfc8972e5ab1d XPS Viewer
Some AppIDs for common applications
Windows 7 Jump ListsAnatomy of the custom destination file.
– One or more streams in the shell link file format.http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
Windows 7 Jump ListsAnatomy of the automatic destination file.
– Structured Storage format.http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx
– Containing one or more streams in the shell link file format.
Windows 7 Jump ListsAnatomy of the automatic destination file in a structured storage viewer: OffVis.
Windows 7 Jump Lists
Anatomy of the automatic destination file in a structured storage viewer: SS.exe.• Streams. • Higher
number=more recent or more frequent.
Windows 7 Jump Lists
Anatomy of the automatic destination file in a structured storage viewer:• DestList.• Order of
presentation on the jump list.
Windows 7 Jump ListsAnalysis of Custom Destination Files• Review the series of shell link
items in a hex editor.Or
• Carve and parse:– Using a hex editor, carve out each
shell link item, saving each to a separate file.
– Use a link file parser to review the extracted shell link streams.
– Some streams may not be complete shell items, e.g. paths.
Analysis of Automatic Destination Files• Parse the file with a structured
storage viewer and review the 1) stream enumeration and 2) shell link streams.
Or• Carve and parse:
– Using structured storage parser/viewer, extract each stream to a separate file.
– Review the DestLisk with a hex editor.– Use a link file parser to review the
extracted shell link streams.
Windows 7 Jump Lists
Carve and parse: Custom destination file.
. . .
Carve shell link item and copy or export to file.
Windows 7 Jump Lists
Carve and parse: Custom
destination file.
010 Editor with LNK template.
Windows 7 Jump Lists
Carve and parse: Custom destination file.
– File properties of the extracted shell link item.
Windows 7 Jump Lists
Carve and parse: Automatic Destination Files.
MiTec’s Structured Storage Viewer.http://www.mitec.cz/ssv.html
Windows 7 Jump Lists
Carve and parse: Automatic Destination Files.
MiTec’s Windows File Analyzer.http://www.mitec.cz/wfa.html
Windows 7 Jump Lists
Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file.
Stream list from MiTec’s Structured Storage Viewer.
Windows 7 Jump Lists
OffVis:– Defragment the file – Reparse to identify deleted items.
21
Windows 7 Jump Lists
OffVis:\= deleted items.
Windows 7 Jump Lists
Stream of a list item.
Windows 7 Jump Lists
Stream of a removed item.
Windows 7 Jump Lists
Quick review-automatic and custom destination files.– Jumplist File Extract.– http://www.regdat.com/
Windows 7 Jump Lists
