Hello everyone,
i'm trying to self-train myself on windows 7 analysis and while using this system i noticed that the application bar (wich now also work as a dock) keeps an history of opened files and documents in a per application way.
for example, if i open a video file with MediaPlayer or VLC.
the next time i run that application if i click on its icon in the application bar it shows me an history of recent opened files.
in XP there was a single folder \Documents and Settings\User\Recent
and in vista was the same \Users\username\Recent
but in 7 it looks to be different.
does anyone know where such informations are stored?
I think you mean the symbolic link if so it is
c\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent
Regards
oh.. they simply changed the path a bit )
thnx
Not just for recent for a number of other things.
history
my documents
cookies
temp internet files
etc
Does this also show how many separate times you've been docked?
not sure if it is still needed but there you go
Jump List data is stored in the following folder
C\Users\<Username>\AppData\Roaming\Microsoft\Windows\ Recent\automaticDestinations
For each program that has files in Recent Jump List a file like this is created
1b4dd67f29cb1962.automaticDesitnations-ms
In this case it is a store file for Windows Explorer.
When hex dumped, contents of files is difficult to understand without more information from M$, but it is possible to find all files opened with certain program.
for more information on Jump Lists see 'First Look at Windows 7 Forensics' available from Blog
or full paper
nieuk
Hi again, sorry for the gravedigging of this post, but finally i've found some time to make some tests, and even after reading the document nieuk suggested i still have a question
i've cleaned up the recent folder in c\users\%username%\appdata\roaming\
but apparently there are still evidences of recent opened files sorted in a per-application basis.
since i'm not that good in explaining myself, i think that an image is worth more then a thousand words.
also other informations on recent opened files are still missing, for istance, when i open up media player classics, in the applications bar if i right click the icon i still can see recently opened files, even if i cleaned up the recent folder,
is this program storing its own information in a different place?
in many situations it's really helpful to know
again, sorry for gravedigging and for the dumb questions )
Rampage
This is explained to some degree in the paper mentioned earlier and off the top of my head is connected with the contents of automaticdestinations and customdestinations which contain compound files on a per application basis. The structure of these files is not documented and would require some research. They are easily viewed using mitecs excellent SSView when you can see the data streams in the files and some of the data streams themselves have a GUID indicating they are windows shortcut files.
H
Thank you very much, i'll check this out.
Symbolic Links - MSDN
http//