Forums
Main Category
General (Technical,...
Jump Lists
 
Notifications
Clear all

Jump Lists

 
Page 3 / 4
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 13 years ago
38 Posts
7 Users
0 Reactions
6,184 Views
RSS
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
04/01/2012 9:57 am  

Doing some playing and with FF 8 pinned I just noticed in the CustomDestinations file for FF8 there are entries that reference
USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache

On the test machine in regular non-private mode I had searched Google for CCleaner and found these entries in the FF8 CustomDestinations file

C\Program Files (x86)\Mozilla Firefox\firefox.exe..!.c.c.l.e.a.n.e.r. .d.o.w.n.l.o.a.d. .-. .G.o.o.g.l.e. .S.e.a.r.c.h.w.h.t.t.p.././.w.w.w…g.o.o.g.l.e…c.o.m./.s.e.a.r.c.h.?.q.=.c.c.l.e.a.n.e.r.+.d.o.w.n.l.o.a.d.&.i.e.=.u.t.f.-.8.&.o.e.=.u.t.f.-.8.&.a.q.=.t.&.r.l.s.=.o.r.g…m.o.z.i.l.l.a..e.n.-.U.S..o.f.f.i.c.i.a.l.&.c.l.i.e.n.t.=.f.i.r.e.f.o.x.-.a.p.C..\.U.s.e.r.s.\.T.e.c.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.o.z.i.l.l.a.\.F.i.r.e.f.o.x.\.P.r.o.f.i.l.e.s.\.g.2.n.f.9.5.s.m…d.e.f.a.u.l.t.\.j.u.m.p.L.i.s.t.C.a.c.h.e.\.o.d.u.U.G.R.c.q.Q.e.5.9.D.+.L.Q.o.d.C.0.+.Q.=.=…i.c.o…….. %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache\oduUGRcqQe59D+LQodC0+Q==.ico

C\Program Files (x86)\Mozilla Firefox\firefox.exe….C.C.l.e.a.n.e.r. .-. .D.o.w.n.l.o.a.d.).h.t.t.p.././.w.w.w…p.i.r.i.f.o.r.m…c.o.m./.c.c.l.e.a.n.e.r./.d.o.w.n.l.o.a.d.p.C..\.U.s.e.r.s.\.T.e.c.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.o.z.i.l.l.a.\.F.i.r.e.f.o.x.\.P.r.o.f.i.l.e.s.\.g.2.n.f.9.5.s.m…d.e.f.a.u.l.t.\.j.u.m.p.L.i.s.t.C.a.c.h.e.\.v.i.9.w.o.8.1.R.l.r.C.E.E.B.T.+.T.9.i.h.0.Q.=.=…i.c.o…….. %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\g2nf95sm.default\jumpListCache\vi9wo81RlrCEEBT+T9ih0Q==.ico

g2nf95sm being the profile for user profile Tech.

The .ico files are PNG files and seem to be some sort of icon cache that FF now links with the jump lists. This just caught my eye and I haven't had a chance to really test in private browsing modes to see if the downloads or if now these .ico references are present.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 05/01/2012 6:44 pm  

Doug,

Very interesting stuff. My initial testing with respect to FF 9, private browsing mode and Jump Lists seems to indicate that downloading files via FF 9 in private browsing mode does NOT leave *.automaticDestinations-ms Jump Lists.

More testing is required, however.

Your findings are interesting, in that if a user were to pin FF, this is something that we might expect to see. Very cool.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 05/01/2012 6:47 pm  

One of the things I've been finding with respect to taking informal surveys of analysts with respect to their attention to Jump Lists (either variant) is that there is a small group of those who are analyzing Windows 7 systems, are not interested in the user activity (ie, malware issues), and know about Jump Lists. That is, they are familiar enough with the artifacts to defer analysis of them, and can justify that decision.

However, it would appear that the vast majority of analysts handling Windows 7 systems simply do not have any knowledge of the artifact at all.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 10/01/2012 7:25 am  

I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there…

I recently set up a new VM (Win7 Ult, 32-bit) and installed Firefox 9.01. I launched it, set it to private browsing, and downloaded two files from SysInternals. I then closed FF, shut down the VM, and loaded the VMDK file into FTK Imager…no Jump Lists appeared to have been created for the FF downloads.


   
ReplyQuote
 philh
(@philh)
Eminent Member
Joined: 17 years ago
Posts: 28
10/01/2012 5:55 pm  

I've used evidence from JumpLists in a couple of cases - specifically for showing access/viewing of images and movies. For this I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis.

Thus far I've used woanware's JumpLister tool to parse my JumpLists, but now that your Perl code is available I'll give that a test next time I need to process any JumpLists.

In the future I think would investigate JumpLists, as a matter of course, where access/viewing of images and movies is a point to prove in a case.

Phil H


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 10/01/2012 6:10 pm  

Phil,

Good to hear, thanks.

"…I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis."

Do you remember where you saw this? If so, can you share a link or reference?

I'd think that anytime user activity were in question, Jump Lists would be a resource of some kind.

Thanks.


   
ReplyQuote
ntexaminer
 ntexaminer
(@ntexaminer)
Eminent Member
Joined: 14 years ago
Posts: 49
10/01/2012 7:16 pm  

I think he's referring to the whitepaper by Alex Barnett (Yogesh, please correct me if I'm wrong). The paper mentions that downloaded files using the private browsing mode of FireFox 3.6.16 appeared in a Firefox jump list. It'd be interesting to see if this issue is still there…

I recently set up a new VM (Win7 Ult, 32-bit) and installed Firefox 9.01. I launched it, set it to private browsing, and downloaded two files from SysInternals. I then closed FF, shut down the VM, and loaded the VMDK file into FTK Imager…no Jump Lists appeared to have been created for the FF downloads.

Thanks for following up on that Harlan, good to know (well I suppose it's good and bad).


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 10/01/2012 7:48 pm  

The "bad" news is that no Jump Lists were created, but a Prefetch file for Firefox was created, and a UserAssist entry was created in the user's NTUSER.DAT.


   
ReplyQuote
 philh
(@philh)
Eminent Member
Joined: 17 years ago
Posts: 28
12/01/2012 6:03 pm  

Phil,

Good to hear, thanks.

"…I've focussed on the DestList attribute which, from reading through the various available information, appears to effectively contain an MRU list on a per-application basis."

Do you remember where you saw this? If so, can you share a link or reference?

I'd think that anytime user activity were in question, Jump Lists would be a resource of some kind.

Thanks.

Heh, I actually got that originally from your blog wink - where you refer to the DestList stream, and testing that has been performed to demonstrate this.

Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list.

Phil H


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 27/01/2012 6:16 pm  

Phil,

"Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list."

Have you posted this anywhere? Could you provide a link? If not, can you share your testing and findings with us?


   
ReplyQuote
Page 3 / 4
Forum Jump:
  Previous Topic
Next Topic  
Share: