±Your Account
Membership:
New Today: 2
New Yesterday: 2
Overall: 24170
Visitors: 40±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3, 4, 5, 6 Next
X-Ways does parse the DestList stream, adding the associated timestamp into a table with the stream number and path to the file. I'm not sure exactly what the source of XWF parsing process is, however, based on my (somewhat limited) testing, the information seems to be properly interpreted.
_________________
dfstream.blogspot.com
I haven't had the opportunity to use jump lists in an exam yet, but I'd imagine the type of cases I'll use them with to be involving viewing images/movies or otherwise helping piece together user activity (USB device history, tracking access to a particular file, etc.).
If I needed additional time stamped data from jump lists (or anywhere for that matter), I would harvest the data from VSC (making use of Corey Harrell's batch file) and add that to my timeline for the case. Similarly, if I wasn't able to find the evidence I was looking for in a particular jump list, I would check the VSC.
_________________
dfstream.blogspot.com
Jump Lists
Jump Lists
Posted: Thu Dec 29, 2011 8:21 am
I'm curious at to _if_ Jump Lists are being included in exams of Windows 7 systems, and if so, how analysts are deriving information from (parsing) them.
Are analysts viewing these artifacts as sources of evidence? If so, where are analysts developing their understanding of Jump Lists...what are their sources of information regarding the potential forensic value of Jump Lists, and how are they parsing them?
I've posted some thoughts on Jump List Analysis to my blog that I hope others find useful:
windowsir.blogspot.com...lysis.html
Thanks.
Are analysts viewing these artifacts as sources of evidence? If so, where are analysts developing their understanding of Jump Lists...what are their sources of information regarding the potential forensic value of Jump Lists, and how are they parsing them?
I've posted some thoughts on Jump List Analysis to my blog that I hope others find useful:
windowsir.blogspot.com...lysis.html
Thanks.
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 9:05 am
Hi Harlan,
I certainly view jump lists as a source of evidence. I haven't had the opportunity to use jump lists in an investigation yet, but I've worked with them on the side to be ready for when I do. I've mainly used the built in parser from X-Ways to handle the jump list files, but I've also did a bit of work using JumpLister.
My largest source of information thus far has been from your blog. As you mentioned, there doesn't seem to be a lot of information available about these artifacts as of yet. I hope to be able to do some more research and experimenting with these files in the future, but regardless, thank you for your hard work and time put into this.
_________________
dfstream.blogspot.com
I certainly view jump lists as a source of evidence. I haven't had the opportunity to use jump lists in an investigation yet, but I've worked with them on the side to be ready for when I do. I've mainly used the built in parser from X-Ways to handle the jump list files, but I've also did a bit of work using JumpLister.
My largest source of information thus far has been from your blog. As you mentioned, there doesn't seem to be a lot of information available about these artifacts as of yet. I hope to be able to do some more research and experimenting with these files in the future, but regardless, thank you for your hard work and time put into this.
_________________
dfstream.blogspot.com
-
ntexaminer - Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 9:18 am
Thanks. If you have any thoughts, comments, or questions regarding Jump Lists, please feel free to share them.
Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 9:39 am
Keyword searching in one of my current enquiries has thrown up some indicative links within the jump lists, but the target locations on the local machine have since been deleted. I used Alex Barnett's research paper for a bit of background reading.
Using EnCase to 'View File Structure' on the relevant list and then runnning the Link File parser against the files I was certainly able to parse out to a spreadsheet leading me to some external devices. I did try MiTec's SSV tool and Woany's JumpLister as well with some success.
Using EnCase to 'View File Structure' on the relevant list and then runnning the Link File parser against the files I was certainly able to parse out to a spreadsheet leading me to some external devices. I did try MiTec's SSV tool and Woany's JumpLister as well with some success.
-
JerryW - Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 10:00 am
- keydet89Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
X-Ways does parse the DestList stream, adding the associated timestamp into a table with the stream number and path to the file. I'm not sure exactly what the source of XWF parsing process is, however, based on my (somewhat limited) testing, the information seems to be properly interpreted.
_________________
dfstream.blogspot.com
-
ntexaminer - Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 10:31 am
Thanks for your contributions. I have a couple of opportunities coming up to give presentations, and I've been considering adding more content on Jump Lists. As such, I wanted to get an idea of where folks are with the analysis of these artifacts.
If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 12:10 pm
- keydet89If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
I haven't had the opportunity to use jump lists in an exam yet, but I'd imagine the type of cases I'll use them with to be involving viewing images/movies or otherwise helping piece together user activity (USB device history, tracking access to a particular file, etc.).
If I needed additional time stamped data from jump lists (or anywhere for that matter), I would harvest the data from VSC (making use of Corey Harrell's batch file) and add that to my timeline for the case. Similarly, if I wasn't able to find the evidence I was looking for in a particular jump list, I would check the VSC.
_________________
dfstream.blogspot.com
-
ntexaminer - Member