- keydet89

Phil,

Good to hear, thanks.

"...I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis."

Do you remember where you saw this? If so, can you share a link or reference?

I'd think that anytime user activity were in question, Jump Lists would be a resource of some kind.

Thanks.

Heh, I actually got that originally from your blog - where you refer to the DestList stream, and testing that has been performed to demonstrate this.

Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list.

Phil H  

Phil,

"Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list."

Have you posted this anywhere? Could you provide a link? If not, can you share your testing and findings with us?  

- keydet89

Phil,

"Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list."

Have you posted this anywhere? Could you provide a link? If not, can you share your testing and findings with us?

Sorry it's taken a while to respond to this - I'm afraid that the testing that I've performed has been in the process of investigating individual cases, and I've not had the opportunity to formally document or post the results anywhere. Essentially my testing involved using a known (test) installation of Windows 7, then accessing files via known applications - EnCase was then used to examine the test system, and extract the relevant Jump List file, which I then analysed using woanware's tool. A comparison of the contents of the DestList stream, with the files known to have been accessed, indicated that this appeared to be working as an application-specific MRU/Recent Item list

Phil H  

I have recently submitted my thesis on the topic of Jump Lists.

As it stands at the moment I am seeking permission to release it in full but am happy to take questions from any that are interested.

Regards

Rob  

Rob,

I'm not sure what questions we can ask...so I'll throw something out...

What were your sources? What was your approach? Can you give a general overview of your methodology and/or findings?

Thanks.  

Harlan,

As you and others have noted there is little information available in the public domain about Jump Lists, in particular the structure and detail recorded in the DestList.

My research was therefore based around experimentation conducted on a virtual machine running x64 Ultimate and looked at what data was present throughout the installation process upto and including first login.

I then went on to look at opening files and explored the additional types of file access available through left and right mouse clicks (also in combination with the shift key) and from the command line.

I looked at pinning entries to and deleting them from a list and also whether a count is maintained of the number of times a file is opened.

Based upon the results of the experimentation I think that I have determined the full structure of the DestList and have written a program in Python which will extract all of the artefacts within the header and individual entries in the DestList. It is by no means a perfect program but I intend to develop it further to address it's limitations, for example it does not parse the individual 'shortcut' elements.

I am still researching the copyright issues associated with the thesis and hope to be able to make it available for any that want to read it in the near future.

Rob  

Rob,

Thanks. I was wondering how the DestList structure you'd determined compare to what I'd posted to my blog (http://windowsir.blogspot.com/2011/06/meetup-tools-and-other-stuff.html) as well as to the ForensicsWiki.

Thanks.