Windows Jump List Forensics
When we look in terms of forensic cases, it provides information about the past actions of the suspect. The biggest advantage of the Jump List is that this data is not deleted even if the application is deleted. The important part for the forensic computer is that these applications are listed in the timeline. It is known to vary according to the operating system.
What Is Jump List?
It is made to provide fast access to the documénts, websites, music or pictures that users use the most, which are presented to us with Windows 7.
We can access the Jump Lists of the application right clicking the icons of the applications in the taskbar. Or, we can access Jump Lists by right clicking the applications in the start menu.
Jump Lists in applications vary from application to application. For example, in a File Manager there are documénts and pictures, while in the Opera browser there are sites.
Thanks to these lists, we can get information about the data entered by the user.
Where Jump List Data Are Saved?
The data in the Jump List are saved in the two extensions I have given below.
CustomDestination: This is created by applications.
AutomaticDestination: This one is created by the System.
The files found here are stored as -ms files. When the files here are opened with the text editor, they do not appear as readable data. However, there are some readable values in it. For Example, look at the picture below
What Is Jump List Application ID (AppID)?
CustomDestination and AutomaticDestination the IDs created for the application in their items.AppIDs are different for each application. Generally, a value is specified for all but can be changed by the user. If these IDs are not changed, they take values as listed below. [url] https://community.malforensics.com/t/list-of-jump-list-ids/158 [/URL]
Jump Lister
With the Jump Lister application, you can read the -ms data generated in AutomaticDestination and CustomDestination files. Click https://github.com/woanware/JumpLister to download the application. After downloading the application, click "File". Then click Load. Here you can either enter the AutomaticDestination or CustomDestination documénts and read the data.
By clicking the Destlist on the left, you can access the related NetBIOS, MAC address, Data and file creation and saving data.
Disabling Jump List Data
Let's come to the desktop and do right click> personalize.
Let's go to the Start section and turn off the "Show the most recently opened items in Jump Lists and File Explorer Quick Access" option on the Start menu or taskbar.
As you can see, the Jump Lists in the Opera browser on the taskbar are closed. You can look at the Jump Lists before they were closed by looking at the images above.
And this was my topic. Thanks for reading and goodbye till the next time.
Source: https://www.turkhackteam.org/adli-bilisim/1901511-windows-jump-list-forensics-p4rs.html
Translator: Dolyetyus
When we look in terms of forensic cases, it provides information about the past actions of the suspect. The biggest advantage of the Jump List is that this data is not deleted even if the application is deleted. The important part for the forensic computer is that these applications are listed in the timeline. It is known to vary according to the operating system.
What Is Jump List?
It is made to provide fast access to the documénts, websites, music or pictures that users use the most, which are presented to us with Windows 7.
We can access the Jump Lists of the application right clicking the icons of the applications in the taskbar. Or, we can access Jump Lists by right clicking the applications in the start menu.
Jump Lists in applications vary from application to application. For example, in a File Manager there are documénts and pictures, while in the Opera browser there are sites.
Thanks to these lists, we can get information about the data entered by the user.
Where Jump List Data Are Saved?
The data in the Jump List are saved in the two extensions I have given below.
Kod:
C:\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Kod:
C:\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinationsCustomDestination: This is created by applications.
AutomaticDestination: This one is created by the System.
The files found here are stored as -ms files. When the files here are opened with the text editor, they do not appear as readable data. However, there are some readable values in it. For Example, look at the picture below
What Is Jump List Application ID (AppID)?
CustomDestination and AutomaticDestination the IDs created for the application in their items.AppIDs are different for each application. Generally, a value is specified for all but can be changed by the user. If these IDs are not changed, they take values as listed below. [url] https://community.malforensics.com/t/list-of-jump-list-ids/158 [/URL]
Jump Lister
With the Jump Lister application, you can read the -ms data generated in AutomaticDestination and CustomDestination files. Click https://github.com/woanware/JumpLister to download the application. After downloading the application, click "File". Then click Load. Here you can either enter the AutomaticDestination or CustomDestination documénts and read the data.
By clicking the Destlist on the left, you can access the related NetBIOS, MAC address, Data and file creation and saving data.
Disabling Jump List Data
Let's come to the desktop and do right click> personalize.
Let's go to the Start section and turn off the "Show the most recently opened items in Jump Lists and File Explorer Quick Access" option on the Start menu or taskbar.
As you can see, the Jump Lists in the Opera browser on the taskbar are closed. You can look at the Jump Lists before they were closed by looking at the images above.
And this was my topic. Thanks for reading and goodbye till the next time.
Source: https://www.turkhackteam.org/adli-bilisim/1901511-windows-jump-list-forensics-p4rs.html
Translator: Dolyetyus
