Jump List Examinati...
 
Notifications
Clear all

Jump List Examination

12 Posts
8 Users
0 Likes
2,477 Views
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

I'm working a case and have identified evidence in a jump list that a file had been accessed from a removable device on a specific date. I wanted to test my logic here to see if I'm missing something. OS Win 8.

I've identified evidence of file activity through the analysis of Jump Lists using IEF. Artifacts show the following

F\File Name Here.XLSX has a target file created of 1/1/2016 21111 PM and Last modified date/time of 1/1/2016 21118 PM UTC and a Last Access date/time 2 minutes later.

Drive Type = Drive_Removable

Based on these findings I believe I have enough evidence to indicate that the file in question was copied (or saved) to the external device directly (same Create and Modified date) and that it was opened 2 minutes later.

Any objections? D

 
Posted : 13/07/2016 5:23 am
(@randomaccess)
Posts: 385
Reputable Member
 

F\File Name Here.XLSX has a target file created of 1/1/2016 21111 PM and Last modified date/time of 1/1/2016 21118 PM UTC and a Last Access date/time 2 minutes later.

Is the last access date taken from the MFT entry of the file found within the Jumplist? Or is it from the destination list?

It's been covered in a number of places that the Access Date is largely irrelevant these days as Windows doesnt really use it to indicate file access by default).

Might I suggest running the jumplist through another tool for clarification?

Also when you say copied or saved directly are you implying it was done so from the computer you're examining? Because I dont think you have that from the information you've provided…

So far you can say that a file xyz.xls that resided on a USB drive (with drive name/letter/volume serial number) was opened. It had the created/modified/accessed date of x. It was last accessed at time taken from destinationlist

 
Posted : 13/07/2016 5:34 am
(@sam305754)
Posts: 44
Eminent Member
 

Hi,

As said randomacess you can say .xlsx file stored on USB device was opened on this machine but you cannot state it was copied on USB device.

Regards

 
Posted : 13/07/2016 11:34 am
(@yunus)
Posts: 178
Estimable Member
 

Dates and times are not easy to verify when it comes to timestamps of files. You can not know for sure that sometime in the past computer had the correct date-and-time.

So regarding anything related to dates and times, I would say "might be", unless verified by an external and unchanging date-time source.

Secondly, the names in the jumplists…. the files with the same names should also be considered. How do file names are placed in the jumplists if there are two different files with the same name. Do they have different names in jumplists or do they have the same name? Can you know for sure that the file name show in the jupmplist is exactly of the file under investigation. Can you know for sure that the computer did not have any other file with the same name in the past?

Too many possibilities.

 
Posted : 13/07/2016 11:41 am
(@randomaccess)
Posts: 385
Reputable Member
 

Secondly, the names in the jumplists…. the files with the same names should also be considered. How do file names are placed in the jumplists if there are two different files with the same name. Do they have different names in jumplists or do they have the same name? Can you know for sure that the file name show in the jupmplist is exactly of the file under investigation. Can you know for sure that the computer did not have any other file with the same name in the past?

Generally I'll look at the metadata of the file itself and the file in the jumplist/link file
So if there's a file on the computer that matches the filename accessed on an external according to the jmp/lnk that also has the same size and some matching dates/times then one can infer that the files are probably the same. Obviously the more matching data points you get the better. But generally, say with pictures/videos, the same name/path+size+last written date, its quite likely that it's the same file

 
Posted : 13/07/2016 4:03 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've identified evidence of file activity through the analysis of Jump Lists using IEF. Artifacts show the following

F\File Name Here.XLSX has a target file created of 1/1/2016 21111 PM and Last modified date/time of 1/1/2016 21118 PM UTC and a Last Access date/time 2 minutes later.

Drive Type = Drive_Removable

Based on these findings I believe I have enough evidence to indicate that the file in question was copied (or saved) to the external device directly (same Create and Modified date) and that it was opened 2 minutes later.

Any objections? D

Based on JUST what you've shared, I'm not sure that you can make that conclusion.

For example, you've shared nothing that indicates that the file in question was found in any location other than the removable drive.

Do you know the file system of the thumb/removable drive? If it's NTFS, are you aware of (as 'randomaccess' mentioned) how those date/time stamps are handled by the OS?

 
Posted : 13/07/2016 4:12 pm
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

Thank you all for your contribution. A few additional notes to consider.

I've run the jumplist through another tool and the dates are the same.

Last Accessed date is taken from the DestList of the JumpList. The file was located on an external removable device and inaccessible for review and a copy not found on the file system of the computer being investigated. Plus keep in mind that the Create Date and Modified Date from the LNK portion of the JumpList are milliseconds apart and the Accessed date in the DestList is 2 minutes later.

What's the problem with saying the file was created on the external device on the "Create Date", given the modified date matches, as listed in the LNK portion of the jumplist?

Chronology shows the file was opened 2 min after it was created on the thumb drive. What am I missing - what should I be looking for in addition?

I ask so I can dig deeper if needed. Thanks in advance for your continued support.

Thanks!!

 
Posted : 14/07/2016 5:16 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Last Accessed date is taken from the DestList of the JumpList.

That makes a pretty significant difference.

 
Posted : 14/07/2016 3:33 pm
(@mcman)
Posts: 189
Estimable Member
 

Last Accessed date is taken from the DestList of the JumpList.

This is correct. IEF will report 4 timestamps for jumplists 3 Target MAC times, these are the MAC times for the related file (in your case FileNameHere.XLSX) coming from the shortcut entry/LNK file associated to it, and the other timestamp is the last access time for the Dest list entry.

Hope this helps,

Jamie McQuaid
Magnet Forensics

 
Posted : 14/07/2016 6:08 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

I think you are trying to find evidence about copying a document to usb device from jumplist if jumplisted file exist in acquired hard drive and jumplist indicate it as openned from usb drive yes you can say it you sould also look at link files to verify

 
Posted : 15/07/2016 2:08 pm
Page 1 / 2
Share: