Forensic Focus - General Discussion - Jump Lists

Forensic Focus

Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:

General Discussion

Jump Lists

Re: Jump Lists

Posted: Thu Jan 05, 2012 7:44 am
Author: keydet89 Location: NoVA
Doug,

Very interesting stuff. My initial testing with respect to FF 9, private browsing mode and Jump Lists seems to indicate that downloading files via FF 9 in private browsing mode does NOT leave *.automaticDestinations-ms Jump Lists.

More testing is required, however.

Your findings are interesting, in that if a user were to pin FF, this is something that we might expect to see. Very cool.

Re: Jump Lists

Posted: Thu Jan 05, 2012 7:47 am
Author: keydet89 Location: NoVA
One of the things I've been finding with respect to taking informal surveys of analysts with respect to their attention to Jump Lists (either variant) is that there is a small group of those who are analyzing Windows 7 systems, are not interested in the user activity (ie, malware issues), and know about Jump Lists. That is, they are familiar enough with the artifacts to defer analysis of them, and can justify that decision.

However, it would appear that the vast majority of analysts handling Windows 7 systems simply do not have any knowledge of the artifact at all.

Re: Jump Lists

Posted: Mon Jan 09, 2012 8:25 pm
Author: keydet89 Location: NoVA
- ntexaminer
I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there...


I recently set up a new VM (Win7 Ult, 32-bit) and installed Firefox 9.01. I launched it, set it to private browsing, and downloaded two files from SysInternals. I then closed FF, shut down the VM, and loaded the VMDK file into FTK Imager...no Jump Lists appeared to have been created for the FF downloads.

Re: Jump Lists

Posted: Tue Jan 10, 2012 6:55 am
Author: philh Location: UK
I've used evidence from JumpLists in a couple of cases - specifically for showing access/viewing of images and movies. For this I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis.

Thus far I've used woanware's JumpLister tool to parse my JumpLists, but now that your Perl code is available I'll give that a test next time I need to process any JumpLists.

In the future I think would investigate JumpLists, as a matter of course, where access/viewing of images and movies is a point to prove in a case.

Phil H

Re: Jump Lists

Posted: Tue Jan 10, 2012 7:10 am
Author: keydet89 Location: NoVA
Phil,

Good to hear, thanks.

"...I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis."

Do you remember where you saw this? If so, can you share a link or reference?

I'd think that anytime user activity were in question, Jump Lists would be a resource of some kind.

Thanks.

Re: Jump Lists

Posted: Tue Jan 10, 2012 8:16 am
Author: ntexaminer Location: United States
- keydet89
- ntexaminer
I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there...


I recently set up a new VM (Win7 Ult, 32-bit) and installed Firefox 9.01. I launched it, set it to private browsing, and downloaded two files from SysInternals. I then closed FF, shut down the VM, and loaded the VMDK file into FTK Imager...no Jump Lists appeared to have been created for the FF downloads.


Thanks for following up on that Harlan, good to know (well I suppose it's good and bad).

Re: Jump Lists

Posted: Tue Jan 10, 2012 8:48 am
Author: keydet89 Location: NoVA
The "bad" news is that no Jump Lists were created, but a Prefetch file for Firefox was created, and a UserAssist entry was created in the user's NTUSER.DAT.
All times are GMT - 6 Hours
Page 4 of 6 Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:
http://www.forensicfocus.com/