±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 142±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2, 3, 4, 5, 6 Next
I like that approach - you could really use the beauty of batch processing to your advantage here. I'll have to mess around with this technique a bit...
Thanks for the words about my blog - glad to hear it interests you.
_________________
dfstream.blogspot.com
Jump Lists
Re: Jump Lists
Posted: Thu Dec 29, 2011 1:13 pm
NTExaminer,
That's an interesting analysis technique, and one I'm going to have to explore.
Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.
Interesting blog, BTW. I'm definitely going to be checking back...
That's an interesting analysis technique, and one I'm going to have to explore.
Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.
Interesting blog, BTW. I'm definitely going to be checking back...
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Thu Dec 29, 2011 3:44 pm
- keydet89Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.
I like that approach - you could really use the beauty of batch processing to your advantage here. I'll have to mess around with this technique a bit...
Thanks for the words about my blog - glad to hear it interests you.
_________________
dfstream.blogspot.com
-
ntexaminer - Member
Re: Jump Lists
Posted: Fri Dec 30, 2011 8:13 am
No problem...just added your blog to the blog roll on my blog. 
I was working on some code samples using my Perl modules last night, and I think I'm going to add an example to parse just the DestList stream, to be part of the analysis technique I mentioned above.
I was working on some code samples using my Perl modules last night, and I think I'm going to add an example to parse just the DestList stream, to be part of the analysis technique I mentioned above.
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Fri Dec 30, 2011 11:49 pm
Harlan, good post. Yes, I have used it as evidence and routinely check for it on every case. It is the best indication of a file being opened by a particular application at a particular time.
I also read on another whitepaper some time back that in older versions of firefox (might work now too), when in private mode browsing, files downloaded are also found in jumplists.
_________________
Yogesh Khatri
- EnCE, GREM, GPEN, GCIA
Independent Forensic Consultant & Researcher
Mumbai, India
Blog- www.swiftforensics.com
I also read on another whitepaper some time back that in older versions of firefox (might work now too), when in private mode browsing, files downloaded are also found in jumplists.
_________________
Yogesh Khatri
- EnCE, GREM, GPEN, GCIA
Independent Forensic Consultant & Researcher
Mumbai, India
Blog- www.swiftforensics.com
-
YogeshKhatri - Member
Re: Jump Lists
Posted: Sat Dec 31, 2011 9:52 am
Yogesh,
If you can find that white paper, I'd greatly appreciate it...
If you can find that white paper, I'd greatly appreciate it...
-
keydet89 - Senior Member
Re: Jump Lists
Posted: Sat Dec 31, 2011 3:00 pm
I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there...
_________________
dfstream.blogspot.com
_________________
dfstream.blogspot.com
-
ntexaminer - Member