Windows Jump List Forensics
It gives us infos about suspect's previous processes. One of the most advantage of Jump List is even if app is deleted, these datas will never be deleted. One of the most important part of Jump List for forensic expert is these apps can be listed in timeline. It's known that there can be difference from OS to OS.
What is Jump List?
We can access the applications' Jump Lists by right-clicking the icons of the applications in the taskbar or start menu..
Jump Lists in applications show an alteration from application to application. For example: you can see Documénts, Pictures, etc. in File Manager; some websites in Opera.
Thanks to these lists, we can have knowledge about user's datas.
Where are the Jump List Datas Saved?
Datas in Jump List are saved in the two following folders
AutomaticDestination: created by system.
CustomDestination: created by applications.
These files are saved as -ms files. You can't properly read the datas in files when you opened with text editor. Still, you can find some readable values. Such as:
What is Jump List Application ID (AppID)?
They are identities created for application in CustomDestination and AutomaticDestination elements. AppIDs are different for each application. Generally, a value has been set for all of them but can be changed by the user. If you haven't changed the values, here is the default version: [url]https://community.malforensics.com/t/list-of-jump-list-ids/158[/URL]
Jump Lister
You can read datas in -ms files with Jump Lister application. Click https://github.com/woanware/JumpLister to download the application. After downloading is done, click on "File" and then "Load". You can select AutomaticDestination or CustomDestination to read datas, your choice.
You can access the data infos about NetBIOS, MAC address, Data ve folder's create and save by clicking Destlist in the left sidebar.
Deactivate the Jump List Datas
Desktop > right click > personalize
In start settings, turn off the "Show Recently Opened Items In Jump Lists on Start Menu or the Taskbar".
As you can see, Jump Lists of Opera are closed now.
Peace out girl scout..
It gives us infos about suspect's previous processes. One of the most advantage of Jump List is even if app is deleted, these datas will never be deleted. One of the most important part of Jump List for forensic expert is these apps can be listed in timeline. It's known that there can be difference from OS to OS.
What is Jump List?
We can access the applications' Jump Lists by right-clicking the icons of the applications in the taskbar or start menu..
Jump Lists in applications show an alteration from application to application. For example: you can see Documénts, Pictures, etc. in File Manager; some websites in Opera.
Thanks to these lists, we can have knowledge about user's datas.
Where are the Jump List Datas Saved?
Datas in Jump List are saved in the two following folders
Kod:
C:\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Kod:
C:\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
AutomaticDestination: created by system.
CustomDestination: created by applications.
These files are saved as -ms files. You can't properly read the datas in files when you opened with text editor. Still, you can find some readable values. Such as:
What is Jump List Application ID (AppID)?
They are identities created for application in CustomDestination and AutomaticDestination elements. AppIDs are different for each application. Generally, a value has been set for all of them but can be changed by the user. If you haven't changed the values, here is the default version: [url]https://community.malforensics.com/t/list-of-jump-list-ids/158[/URL]
Jump Lister
You can read datas in -ms files with Jump Lister application. Click https://github.com/woanware/JumpLister to download the application. After downloading is done, click on "File" and then "Load". You can select AutomaticDestination or CustomDestination to read datas, your choice.
You can access the data infos about NetBIOS, MAC address, Data ve folder's create and save by clicking Destlist in the left sidebar.
Deactivate the Jump List Datas
Desktop > right click > personalize
In start settings, turn off the "Show Recently Opened Items In Jump Lists on Start Menu or the Taskbar".
As you can see, Jump Lists of Opera are closed now.
Peace out girl scout..
Original: https://www.turkhackteam.org/adli-bilisim/1901511-windows-jump-list-forensics-p4rs.html
Moderatör tarafında düzenlendi: