I'm curious at to _if_ Jump Lists are being included in exams of Windows 7 systems, and if so, how analysts are deriving information from (parsing) them.
Are analysts viewing these artifacts as sources of evidence? If so, where are analysts developing their understanding of Jump Lists…what are their sources of information regarding the potential forensic value of Jump Lists, and how are they parsing them?
I've posted some thoughts on Jump List Analysis to my blog that I hope others find useful
http//
Thanks.
Hi Harlan,
I certainly view jump lists as a source of evidence. I haven't had the opportunity to use jump lists in an investigation yet, but I've worked with them on the side to be ready for when I do. I've mainly used the built in parser from X-Ways to handle the jump list files, but I've also did a bit of work using JumpLister.
My largest source of information thus far has been from your blog. As you mentioned, there doesn't seem to be a lot of information available about these artifacts as of yet. I hope to be able to do some more research and experimenting with these files in the future, but regardless, thank you for your hard work and time put into this.
Thanks. If you have any thoughts, comments, or questions regarding Jump Lists, please feel free to share them.
Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
Keyword searching in one of my current enquiries has thrown up some indicative links within the jump lists, but the target locations on the local machine have since been deleted. I used Alex Barnett's research paper for a bit of background reading.
Using EnCase to 'View File Structure' on the relevant list and then runnning the Link File parser against the files I was certainly able to parse out to a spreadsheet leading me to some external devices. I did try MiTec's SSV tool and Woany's JumpLister as well with some success.
Does X-Ways parse the DestList stream within the automatic Jump Lists? If so, what is the source of the structure parsing process (do you know where they got the information they use to parse the streams)?
X-Ways does parse the DestList stream, adding the associated timestamp into a table with the stream number and path to the file. I'm not sure exactly what the source of XWF parsing process is, however, based on my (somewhat limited) testing, the information seems to be properly interpreted.
Thanks for your contributions. I have a couple of opportunities coming up to give presentations, and I've been considering adding more content on Jump Lists. As such, I wanted to get an idea of where folks are with the analysis of these artifacts.
If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
If you don't mind me asking, what types of cases have you found Jump Lists most useful? Cases involving viewing of images or movies? Intrusion cases?
How useful are the tools that you're using? Do they provide the necessary functionality? Do they make reporting easy? Have you considered getting additional time stamped information by accessing previous versions of the Jump List files found in VSCs?
I haven't had the opportunity to use jump lists in an exam yet, but I'd imagine the type of cases I'll use them with to be involving viewing images/movies or otherwise helping piece together user activity (USB device history, tracking access to a particular file, etc.).
If I needed additional time stamped data from jump lists (or anywhere for that matter), I would harvest the data from VSC (making use of Corey Harrell's batch file) and add that to my timeline for the case. Similarly, if I wasn't able to find the evidence I was looking for in a particular jump list, I would check the VSC.
NTExaminer,
That's an interesting analysis technique, and one I'm going to have to explore.
Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.
Interesting blog, BTW. I'm definitely going to be checking back…
Using the Perl modules I've created for parsing Jump Lists, I could see parsing the DestList stream from a specific Jump List, and using "find" to extract just the information about a particular file in question. You could then use Corey's technique to run that same tool across the previous versions of the Jump List files in the VSCs.
I like that approach - you could really use the beauty of batch processing to your advantage here. I'll have to mess around with this technique a bit…
Thanks for the words about my blog - glad to hear it interests you.
No problem…just added your blog to the blog roll on my blog. 😉
I was working on some code samples using my Perl modules last night, and I think I'm going to add an example to parse just the DestList stream, to be part of the analysis technique I mentioned above.