Forensic Focus - General Discussion - Jump Lists

Forensic Focus

Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:

General Discussion

Jump Lists

Re: Jump Lists

Posted: Thu Dec 29, 2011 1:13 pm
Author: keydet89 Location: NoVA
NTExaminer,

That's an interesting analysis technique, and one I'm going to have to explore.

Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.

Interesting blog, BTW. I'm definitely going to be checking back...

Re: Jump Lists

Posted: Thu Dec 29, 2011 3:44 pm
Author: ntexaminer Location: United States
- keydet89
Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.


I like that approach - you could really use the beauty of batch processing to your advantage here. I'll have to mess around with this technique a bit...

Thanks for the words about my blog - glad to hear it interests you.

Re: Jump Lists

Posted: Fri Dec 30, 2011 8:13 am
Author: keydet89 Location: NoVA
No problem...just added your blog to the blog roll on my blog. Wink

I was working on some code samples using my Perl modules last night, and I think I'm going to add an example to parse just the DestList stream, to be part of the analysis technique I mentioned above.

Re: Jump Lists

Posted: Fri Dec 30, 2011 5:07 pm
Author: keydet89 Location: NoVA
Posted my Jump List parser code:
code.google.com/p/winf...loads/list

Re: Jump Lists

Posted: Fri Dec 30, 2011 11:49 pm
Author: YogeshKhatri Location: Mumbai, India
Harlan, good post. Yes, I have used it as evidence and routinely check for it on every case. It is the best indication of a file being opened by a particular application at a particular time.

I also read on another whitepaper some time back that in older versions of firefox (might work now too), when in private mode browsing, files downloaded are also found in jumplists.

Re: Jump Lists

Posted: Sat Dec 31, 2011 9:52 am
Author: keydet89 Location: NoVA
Yogesh,

If you can find that white paper, I'd greatly appreciate it...

Re: Jump Lists

Posted: Sat Dec 31, 2011 3:00 pm
Author: ntexaminer Location: United States
I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there...
All times are GMT - 6 Hours
Page 2 of 6 Go to page Previous  1, 2, 3, 4, 5, 6  Next  :| |:
http://www.forensicfocus.com/