Forensic Focus - General Discussion - Jump Lists

Forensic Focus

Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:

General Discussion

Jump Lists

Re: Jump Lists

Posted: Sat Dec 31, 2011 7:13 pm
Author: keydet89 Location: NoVA
I'll have to see if I can't replicate that within a VM...thanks for pointing that out.

Re: Jump Lists

Posted: Sun Jan 01, 2012 7:00 am
Author: YogeshKhatri Location: Mumbai, India
- ntexaminer
I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there...


Yes that and another one that was on browser private mode artifacts (cant find it now) mentioned it.

Re: Jump Lists

Posted: Tue Jan 03, 2012 8:16 am
Author: keydet89 Location: NoVA
I set up a Win7 VM last night, installed FF 9.x, set it to private browsing mode and then downloaded some files. I'll try to see if I can get some time tonight to determine if these files are recorded in any way in Jump Lists.

Re: Jump Lists

Posted: Tue Jan 03, 2012 11:57 am
Author: douglasbrush Location: New York, NY
<edit>I have done a good amount of review of the papers and information out there on private browsing modes. I have not come across anything about JumpLists. Private Browsing mode in IE and FF are generally very good about not leaving tracks. In IE for example: </edit>

With IE 8, the feature of “InPrivate Browsing” is an option to allow users to
activate a “mode” that will not keep any trace of browsing activity. From the Microsoft MSDN Internet Explorer blog article:

While InPrivate Browsing is active, the following takes place:
• New cookies are not stored
o All new cookies become “session” cookies
o Existing cookies can still be read
o The new DOM storage feature behaves the same way
• New history entries will not be recorded
• New temporary Internet files will be deleted after the Private Browsing window is closed
• Form data is not stored
• Passwords are not stored
• Addresses typed into the address bar are not stored
• Queries entered into the search box are not stored
• Visited links will not be stored

One of the white papers that I have found useful that might have been the reference paper referred to is "An Analysis of Private Browsing Modes in Modern Browsers":
crypto.stanford.edu/~d...wsing.html
<edit>However it does not mention JumpLists but has information about the artifacting from downloads.</edit>

Last edited by douglasbrush on Tue Jan 03, 2012 4:03 pm; edited 1 time in total

Re: Jump Lists

Posted: Tue Jan 03, 2012 1:14 pm
Author: keydet89 Location: NoVA
Doug,

Any thoughts on how this information might affect Jump Lists? I downloaded the paper and used the built-in (within Adobe) search functionality, and didn't find any reference to "Jump List".

Re: Jump Lists

Posted: Tue Jan 03, 2012 4:08 pm
Author: douglasbrush Location: New York, NY
Not specifically to JumLists but in relation to the artifacts left with the downloads. (Sorry cleaned up prior post so at least it was less confusing as to why I posted it). From that paper and the other research I have done recently on private browser modes I have not found that JumpList artifacts were cited or referenced at all. Though from looking at the white papers and blogs I have as references all the test scenarios seem to be with XP. Not sure what paper Yogesh was referencing too but would love to see it as well.

As listed prior and in the paper, the private browsing mode seems to be very specific about not leaving a lot of OS artifacts and wondering if the JumpLists would occur for the "Downloads" window that appears as part of the integrated download manager in FF when a user doubleclicks on an item in the list. Just thought the backgrounder of PBM could be useful in context to the discussion of the artifacts that can be found. I have had a Win 7 VM set-up for PBM testing and will try to take a look to see if there is a tie in.

Re: Jump Lists

Posted: Tue Jan 03, 2012 10:57 pm
Author: douglasbrush Location: New York, NY
Doing some playing and with FF 8 pinned I just noticed in the CustomDestinations file for FF8 there are entries that reference:
USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache

On the test machine in regular non-private mode I had searched Google for CCleaner and found these entries in the FF8 CustomDestinations file:

C:\Program Files (x86)\Mozilla Firefox\firefox.exe..!.c.c.l.e.a.n.e.r. .d.o.w.n.l.o.a.d. .-. .G.o.o.g.l.e. .S.e.a.r.c.h.w.h.t.t.p.:././.w.w.w...g.o.o.g.l.e...c.o.m./.s.e.a.r.c.h.?.q.=.c.c.l.e.a.n.e.r.+.d.o.w.n.l.o.a.d.&.i.e.=.u.t.f.-.8.&.o.e.=.u.t.f.-.8.&.a.q.=.t.&.r.l.s.=.o.r.g...m.o.z.i.l.l.a.:.e.n.-.U.S.:.o.f.f.i.c.i.a.l.&.c.l.i.e.n.t.=.f.i.r.e.f.o.x.-.a.p.C.:.\.U.s.e.r.s.\.T.e.c.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.o.z.i.l.l.a.\.F.i.r.e.f.o.x.\.P.r.o.f.i.l.e.s.\.g.2.n.f.9.5.s.m...d.e.f.a.u.l.t.\.j.u.m.p.L.i.s.t.C.a.c.h.e.\.o.d.u.U.G.R.c.q.Q.e.5.9.D.+.L.Q.o.d.C.0.+.Q.=.=...i.c.o........ %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache\oduUGRcqQe59D+LQodC0+Q==.ico

C:\Program Files (x86)\Mozilla Firefox\firefox.exe....C.C.l.e.a.n.e.r. .-. .D.o.w.n.l.o.a.d.).h.t.t.p.:././.w.w.w...p.i.r.i.f.o.r.m...c.o.m./.c.c.l.e.a.n.e.r./.d.o.w.n.l.o.a.d.p.C.:.\.U.s.e.r.s.\.T.e.c.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.o.z.i.l.l.a.\.F.i.r.e.f.o.x.\.P.r.o.f.i.l.e.s.\.g.2.n.f.9.5.s.m...d.e.f.a.u.l.t.\.j.u.m.p.L.i.s.t.C.a.c.h.e.\.v.i.9.w.o.8.1.R.l.r.C.E.E.B.T.+.T.9.i.h.0.Q.=.=...i.c.o........ %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache\vi9wo81RlrCEEBT+T9ih0Q==.ico


g2nf95sm being the profile for user profile Tech.

The .ico files are PNG files and seem to be some sort of icon cache that FF now links with the jump lists. This just caught my eye and I haven't had a chance to really test in private browsing modes to see if the downloads or if now these .ico references are present.
All times are GMT - 6 Hours
Page 3 of 6 Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:
http://www.forensicfocus.com/