Jump Lists

Phil,

"Some testing of my own has also corroborated the fact the DestList stream appears to act as an application-specific MRU/Recent Item list."

Have you posted this anywhere? Could you provide a link? If not, can you share your testing and findings with us?

Sorry it's taken a while to respond to this - I'm afraid that the testing that I've performed has been in the process of investigating individual cases, and I've not had the opportunity to formally document or post the results anywhere. Essentially my testing involved using a known (test) installation of Windows 7, then accessing files via known applications - EnCase was then used to examine the test system, and extract the relevant Jump List file, which I then analysed using woanware's tool. A comparison of the contents of the DestList stream, with the files known to have been accessed, indicated that this appeared to be working as an application-specific MRU/Recent Item list )

Phil H

I have recently submitted my thesis on the topic of Jump Lists.

As it stands at the moment I am seeking permission to release it in full but am happy to take questions from any that are interested.

Regards

Rob

Rob,

I'm not sure what questions we can ask…so I'll throw something out…

What were your sources? What was your approach? Can you give a general overview of your methodology and/or findings?

Thanks.

Harlan,

As you and others have noted there is little information available in the public domain about Jump Lists, in particular the structure and detail recorded in the DestList.

My research was therefore based around experimentation conducted on a virtual machine running x64 Ultimate and looked at what data was present throughout the installation process upto and including first login.

I then went on to look at opening files and explored the additional types of file access available through left and right mouse clicks (also in combination with the shift key) and from the command line.

I looked at pinning entries to and deleting them from a list and also whether a count is maintained of the number of times a file is opened.

Based upon the results of the experimentation I think that I have determined the full structure of the DestList and have written a program in Python which will extract all of the artefacts within the header and individual entries in the DestList. It is by no means a perfect program but I intend to develop it further to address it's limitations, for example it does not parse the individual 'shortcut' elements.

I am still researching the copyright issues associated with the thesis and hope to be able to make it available for any that want to read it in the near future.

Rob

Rob,

Thanks. I was wondering how the DestList structure you'd determined compare to what I'd posted to my blog (http//windowsir.blogspot.com/2011/06/meetup-tools-and-other-stuff.html) as well as to the ForensicsWiki.

Thanks.

Harlan,

I'll have a look at those and get back to you…

Rob

Harlan,

I have looked at your blog and the ForensicsWiki and the information posted there corresponds to offsets per my findings.

Regards

Rob

Rob,

Just those offsets? Were you able to figure out what any of the other data means?

Thanks.