Notifications
Clear all

windows 7 "dock history" (?) where is it stored?

10 Posts
6 Users
0 Reactions
810 Views
(@rampage)
Reputable Member
Joined: 16 years ago
Posts: 354
Topic starter  

Hello everyone,

i'm trying to self-train myself on windows 7 analysis and while using this system i noticed that the application bar (wich now also work as a dock) keeps an history of opened files and documents in a per application way.

for example, if i open a video file with MediaPlayer or VLC.
the next time i run that application if i click on its icon in the application bar it shows me an history of recent opened files.

in XP there was a single folder \Documents and Settings\User\Recent
and in vista was the same \Users\username\Recent

but in 7 it looks to be different.
does anyone know where such informations are stored?


   
Quote
(@mitch)
Estimable Member
Joined: 19 years ago
Posts: 135
 

I think you mean the symbolic link if so it is

c\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent

Regards


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 16 years ago
Posts: 354
Topic starter  

oh.. they simply changed the path a bit )

thnx


   
ReplyQuote
(@mitch)
Estimable Member
Joined: 19 years ago
Posts: 135
 

Not just for recent for a number of other things.

history
my documents
cookies
temp internet files
etc


   
ReplyQuote
s1lang
(@s1lang)
Trusted Member
Joined: 16 years ago
Posts: 98
 

Does this also show how many separate times you've been docked?


   
ReplyQuote
(@nieuk)
Active Member
Joined: 16 years ago
Posts: 10
 

not sure if it is still needed but there you go

Jump List data is stored in the following folder
C\Users\<Username>\AppData\Roaming\Microsoft\Windows\ Recent\automaticDestinations

For each program that has files in Recent Jump List a file like this is created
1b4dd67f29cb1962.automaticDesitnations-ms
In this case it is a store file for Windows Explorer.

When hex dumped, contents of files is difficult to understand without more information from M$, but it is possible to find all files opened with certain program.

for more information on Jump Lists see 'First Look at Windows 7 Forensics' available from Blog
DigForensix

or full paper
First Look at the Windows 7 Forensics

nieuk


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 16 years ago
Posts: 354
Topic starter  

Hi again, sorry for the gravedigging of this post, but finally i've found some time to make some tests, and even after reading the document nieuk suggested i still have a question

i've cleaned up the recent folder in c\users\%username%\appdata\roaming\

but apparently there are still evidences of recent opened files sorted in a per-application basis.

since i'm not that good in explaining myself, i think that an image is worth more then a thousand words.

also other informations on recent opened files are still missing, for istance, when i open up media player classics, in the applications bar if i right click the icon i still can see recently opened files, even if i cleaned up the recent folder,
is this program storing its own information in a different place?
in many situations it's really helpful to know

again, sorry for gravedigging and for the dumb questions )


   
ReplyQuote
harryparsonage
(@harryparsonage)
Estimable Member
Joined: 19 years ago
Posts: 184
 

Rampage

This is explained to some degree in the paper mentioned earlier and off the top of my head is connected with the contents of automaticdestinations and customdestinations which contain compound files on a per application basis. The structure of these files is not documented and would require some research. They are easily viewed using mitecs excellent SSView when you can see the data streams in the files and some of the data streams themselves have a GUID indicating they are windows shortcut files.

H


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 16 years ago
Posts: 354
Topic starter  

Thank you very much, i'll check this out.


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

Symbolic Links - MSDN
http//msdn.microsoft.com/en-us/library/aa365680%28VS.85%29.aspx


   
ReplyQuote
Share: