Has anyone used the Prefetch or Jump List analysis techniques that have been
presented recently?
http//
http//
I'm curious as to if this has been useful or not…
I've been able to do a bit of work with jump lists and they've proven to be a very useful resource for finding user activity artifacts. I've used your Perl scripts as well as the built in functionality of X-Ways to parse automatic jumplist files. It would be great for tools to have database or a simple csv that would decode the AppIDs (or at least some of them) to save the analyst a step in looking up which AppID is associated with which program. If it were a csv, this would allow the analyst to add AppIDs to it as needed for use in the future.
I haven't had the opportunity to try out the Prefetch techniques that you and Corey have recently blogged about, but I hope to soon…
I have tried to use your jumplist perl script but being a novice examiner I couldn't get it to work. I am assuming it is command line and maybe that is where I am going wrong. (I need more work in that area) I tried looking through any readme files and on the PDF you have within the folder of all the scripts. I did not see an example command line for the scripts. I would suggest having an example or two on a text file to assist the users.
The blog itself have proven helpful to me personally. It showed me what folder to go to in order to find the jumplist. Also it was very helpful having the websites listed that a person can go to in order to find the app ids.
In regards to the prefetch blog, i have referenced that lately for an assignment I was working on. My class had to do a prefetch analysis and other than our lecture I used your blog to help me with it. One thing I noticed is you did not mention the layout.ini file. From my understanding there is a lot of information contained within that file. For example if a person is using firefox protable, looking in the layout.ini file an examiner can see what drive letter was used to run that program. Of course from there you can look in the registry keys and find more information about that thumb drive or hard drive used.
Overall they have been helpful, thank you.
rhouse,
Thanks for the feedback. I was sort of pestered into releasing the code, and haven't provided a GUI…but that's the beauty of the code - someone can write a GUI around it. 😉
Another aspect of releasing code like this is that you never know what level it has to be in order for the greatest number of folks to use it.
Thanks for the feedback.