forensic analysis of windows 7 jump lists
DESCRIPTION
A look at the artefacts to be found when analyzing Jump List filesTRANSCRIPT
Forensic Artefacts from Windows 7 Jump Lists
Rob Lyness
• Presentation based primarily on experimentation conducted and recorded in MSc project
• Updated with observations and findings from current investigations
What is a Jump List?
“take you right to the documents, pictures, songs, or websites you turn to each day”
http://windows.microsoft.com/en-US/windows7/products/features/jump-lists
What is a Jump List?• Analogous to ‘Recent Items’ sub menu– No longer presented by default, but can be re-
activated
• Collection of shortcuts
• Application and user specific
User Experience• Enabled by default
– Last 10 files Can be amended to list last 60 Links to individual files can be pinned to the Start Menu or Jump List
– Last 10 programs Can be amended to list last 30 Links to individual programs can be pinned to the Start Menu and
Taskbar.
Location of Jump List data (1)• Windows Registry
– Configuration settings for the Jump List feature Number of items to display on list Number of items to display on Start Menu Whether the feature is switched on or off Items that have been pinned to the Taskbar
Entry removed if item removed from Taskbar, including uninstallation of program.
• Folder Structure– Storage of Jump List files– Items that have been pinned to the Taskbar or Start Menu
Link files Deleted if item unpinned May be visible with forensic software
Location of Jump List data (2)
• ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced– Start_JumpListItems (Items to display on Jump List. Max 60)
– Start_MinMFU (Items to display on Start Menu. Max 30)
– Start_TrackDocs (0 = Jump Lists off. 1 = Jump Lists on)
• Only present if default values changed
Location of Jump List data (3)• %systemdrive%\Users\%username%\AppData\Roaming\
Microsoft\Internet Explorer\Quick Launch\User Pinned\
Taskbar Created at first login
Contains 3 shortcut (link) files (Internet Explorer, Windows Explorer, Windows Media Player)
Further link files added as further items pinned
StartMenu Created when first item pinned to Start Menu
Location of Jump List data (4)• %systemdrive%\Users\%username%\AppData\Roaming\
Microsoft\Windows\Recent\CustomDestinations– Naming convention for files is 16 hexadecimal digits (known as the
AppID) followed by ‘.customDestinations-ms’(i.e. 5d696d521de238c3.customDestinations-ms) Records maintained in link file format
• Relate to applications as opposed to files
• No focus in this presentation or the original project
AppID• Can be set by application and notified to the system at runtime
– If not notified by application, system will generate automatically
• Same application with same run switches will generate same AppID on any Windows 7 machine
• Based on CompanyName.ProductName.SubProduct.VersionInformation– Testing showed that the file path of the executable is also taken into
consideration
• Appears to be some kind of hash, although the type is not known
• List maintained at www.forensicswiki.org/wiki/List_of_Jump_List_IDs
Location of Jump List data (6)• %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations– Similar naming convention to that used by custom destinations (i.e. 5d696d521de238c3.automaticDestinations-
ms)
• Main focus of research
• Compound Binary Files– Thumbs.db
– Microsoft Office
• At first login contains only one Jump List file– Windows Explorer
4 entries relating to each of the ‘Libraries’; Documents, Music, Pictures and Videos
• As files are accessed further Jump Lists are generated and stored within the ‘AutomaticDestinations’ directory– Not all applications generate Jump Lists, i.e. Windows Photo Viewer
Location of Jump List data (7)• AutomaticDestinations and CustomDestinations
directories:– Obfuscated by the Operating System and not normally visible
through Windows Explorer
– Do not have the ‘Hidden’ attribute set– Can be accessed via Command Prompt or by entering the full
path into the address bar
Recent Items.lnk AutomaticDestinations.lnk
• Jump List files can be deleted by:– Switching the feature off
All link files in ‘Recent’ directory removed May not be visible within forensic software
If pinned items present all other entries removed If no pinned items present entire Compound Binary file removed
May not be visible within forensic software
– Manually deleting each entry in a Jump List Link files in ‘Recent’ directory unaffected Pinned items must be unpinned before they can be removed Removal of all entries results in entire Compound Binary file being removed
May not be visible within forensic software
Deleting Records (1)
– Navigating through Windows Explorer and manually deleting Requires knowledge of location and specific access method
AutomaticDestinations directory unaffected
All deleted files were visible within forensic software
Link files in ‘Recent’ directory unaffected
– Command Prompt Link files in ‘Recent’ directory unaffected
Compound Binary file deleted irrespective of pinned status of any entry May not be visible in forensic software
Deleting Records (2)
Deconstructing a Jump List• Individual elements are named with a hexadecimal numeric value
– Not re-used
– Deleted entry numbers identifiable
• Most of these elements store data in the structured format of a shortcut (link) file
• One further element named ‘DestList’– Structured, but not in the shortcut format
– Controls the presentation of entries to the user
– Byte sequences read Little Endian
Complete ‘DestList’ from Notepad Jump List
DestList Header
7 individual entries
DestList Header (1)First Entry ID issued
Total items in current
list
No. of pinned entries
Counter
Last Entry ID issued
No. of Add/Delete
actions
DestList Header (2)• First Entry ID issued (4 bytes)
– Appears to always be 1
• Total Items in current list (4 bytes)– Increments and decrements as entries added to and removed from
list– Hexadecimal value
• Number of pinned entries (4 bytes)– Records total number of entries in the list that are currently pinned– Hexadecimal value
DestList Header (3)• Counter (4 bytes)
– Purpose not currently known– Also increments and decrements as entries added to or removed from list– Appears to be floating point binary number– Does not always decode to a whole number
• Last Entry ID issued (8 bytes)– Record of last hexadecimal value Entry ID used– 8 bytes seems excessive
Potential for another, as yet unknown, artefact
DestList Header (4)• Number of Add/Delete actions (8 bytes)– Increments as entries are added to the list– Increments as entries are removed from the list– 8 bytes again
Before deletion – 2 entries in list
After deletion – 1 entry in list
Checksum New Vol ID New Obj ID Birth Vol ID Birth Obj ID
NetBIOS Name
Entry IDAccess Count
Last Accessed Date
Pin status/count
No. Unicode characters in path
DestList Entry (1)
DestList Entry (2)• Checksum (8 bytes)– Purpose not currently known– Algorithm used not known– Limited testing shows it relates to all entry data from the
first byte of the checksum to the last byte before the target file path
• Data Tracker Block (64 bytes)– As found in link files
DestList Entry (3)• NetBIOS name (16 bytes)
– Relates to the computer on which the target file is stored– May reveal names of network shares
DestList Entry (4)• Entry ID (8 bytes)
– Reason for this size not known
• Access Count (4 bytes)– Not always reliable
Same as counter in DestList Header - sometimes decodes as a partial number Unable to replicate behaviour or identify reason
– Updates on each access
• Last Accessed Date (8 bytes)– FILETIME Object– Repeated access of same target requires at least 30 seconds between accesses– Serial accesses of different files has no such restriction– Updates on each access
DestList Entry (5)• Pinned Status (4 bytes)
– Offset 108 – 111 of an entry records its pin status 0xFF 0xFF 0xFF 0xFF indicates an unpinned entry
Each pinned entry is assigned a value starting at 0x00 0x00 0x00 0x00
DestList Entry (6)• Number of Unicode characters in file path (2 bytes)
• Target file path– Normally with drive letter assignments– May be recorded as UNC if access to hidden network share
Order of Access (1)• On screen display split into two areas:
– Recent area Oldest at bottom Most recent at top DestList re-written as accesses to target files continues
– Pinned area Oldest at top Most recent at bottom Pinned entries become static in DestList
Order of Access (2)• No such differentiation in DestList
Recorded File Accesses (1)• Windows Explorer– Link Files
• Application Toolbars• Jump List entries
Recorded File Accesses (2)• Navigation through Windows Explorer
– Investigated the various options available through left and right mouse clicks including the additional options presented by the Shift key
Recorded File Accesses (3)• Application Toolbars
Recorded File Accesses (4)• Jump List entry
Recorded File Accesses (5)• Only actions that result in the content of the file being displayed to the
user, either on screen or hard copy constitute an access.
• No difference was identified in the way that accesses are recorded
• Command Prompt did not result in any updates to the Jump Lists– Limited testing; Notepad and Paint– Other applications may produce different results
Microsoft Word 2007/2010 entries do update
Rename, move and delete target filesSerial Action Result Remarks
1 Cut and Paste to new ‘Fixed’ NTFS volume Opened. File path amended to new location.
2 Cut and Paste to NTFS ‘Removable’ drive ‘Yes’ removes the entry from the list. ‘No’ leaves it in the list.
3 Cut and Paste on same ‘Fixed’ NTFS volume
Opened. File path amended to new location.
4 Right Mouse click > Delete
‘Restore’ returns the file to original location, but does not open it. ‘Delete’ removes entry from list but leaves the file intact in the Recycle Bin
5 Right Mouse click > Delete > Delete from Recycle Bin As Serial 2 result.
6 Shift key + Delete key As Serial 2 result. 7 Rename Opened. File path amended to new name.
Peculiarities Experienced• Not all applications use all of the available
fields all of the time
Peculiarities Experienced• Different behaviour with Windows Media Player
– 2 entries Both relate to same file accessed at the same time
• First time seen– Normally hexadecimal value only is recorded as file path
Peculiarities ExperiencedWindows Media Player – entry with hexadecimal value as file path.
Element points to program with embedded command switches
Windows Media Player – entry with full file path.Element more like a ‘standard’ link file
Unallocated Clusters• Potential to recover deleted entries• Not tested, but likely to be re-used quickly
Limitations• Possibility of automated process pinning items to Jump List
• 30 seconds required between repeated access to target files
• Access count only tested with Notepad and Paint
– Other programs may behave differently
• No reason identified for the use of floating point integers
• Purpose and type of hash/checksum in each entry not known
Future Work• CustomDestinations
• Unallocated Space of hard disk drive
• Further development of extraction program
Summary (1)• Configuration settings can be retrieved from the Windows Registry
– ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems Number of items to display on Jump List
Default value of 10 Maximum value of 60
– ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Start_TrackDocs
Status of feature Switched on by default If present the feature has been turned off at some point (0 = Jump Lists off. 1 = Jump Lists on)
• Only present if default values\state changed
Summary (2)• Jump List data stored in Compound Binary files at %systemdrive%\Users\
%username%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations– Can be shortened to %AppData%\Microsoft\Windows\Recent\
AutomaticDestinations• Not all applications use Jump List to record file accesses• Most entries in Compound Binary files are named with a hexadecimal
numeric value– Structured as link files
• DestList records the order of access– Structured as discussed
• Artefacts recoverable:– Header
• ID of first entry• Number of items currently present in the Jump List• Number of Pinned entries• Last assigned Entry ID• Total number of entries that have been added or deleted• A counter is also present, although its purpose is not known
Summary (3)
– Individual Entry• ‘FileLocation’ data as found in shortcut files• NetBIOS name of computer where target stored• Date/time (GMT) of last access• Pinned status of the entry• Pinned order• How often a file has been accessed• Full path to target file
Summary (4)
Summary (5)• Based upon the experimentation conducted, the complete structure of
the DestList element was determined
Forensic Significance• Analysis of Jump Lists could be used to show:
• Which files have been accessed
• The order in which they were first and last accessed
• How often a file has been accessed
• Which items have been pinned to a Jump List and the order in which they were pinned
Further Information
• Article posted on ForensicFocus website– http
://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
• More detail of methodology
Questions?