- keydet89
Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
X-Ways does parse the DestList stream, adding the associated timestamp into a table with the stream number and path to the file. I'm not sure exactly what the source of XWF parsing process is, however, based on my (somewhat limited) testing, the information seems to be properly interpreted.
- keydet89
If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
I haven't had the opportunity to use jump lists in an exam yet, but I'd imagine the type of cases I'll use them with to be involving viewing images/movies or otherwise helping piece together user activity (USB device history, tracking access to a particular file, etc.).
If I needed additional time stamped data from jump lists (or anywhere for that matter), I would harvest the data from VSC (making use of Corey Harrell's batch file) and add that to my timeline for the case. Similarly, if I wasn't able to find the evidence I was looking for in a particular jump list, I would check the VSC.