Difference between revisions of "Jump Lists"

From ForensicsWiki
Jump to: navigation, search
(Initial stub)
 
(External Links)
 
(52 intermediate revisions by 6 users not shown)
Line 2: Line 2:
 
'''Jump Lists''' are a feature found in Windows 7.
 
'''Jump Lists''' are a feature found in Windows 7.
  
[[List of Jump List IDs]]
+
== Jump Lists ==
17d3eb086439f0d7 TrueCrypt 7.0a
+
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
adecfb853d77462a MSWord 2007
+
c71ef2c372d322d7 PGP Desktop 10
+
cdf30b95c55fd785 MSExcel 2007
+
f5ac5390b9115fdb MSPowerPoint 2007
+
  
12dc1ea8e34b5a6 MSPaint 6.1
+
Jump Lists come in multiple flavors:
431a5b43435cc60b Python (.pyc)
+
* automatic (autodest, or *.automaticDestinations-ms) files
469e4a7982cea4d4 ? (.job)
+
* custom (custdest, or *.customDestinations-ms) files
500b8c1d5302fc9c (.pyw)
+
* Explorer StartPage2 ProgramsCache Registry values
50620fe75ee0093 VMWare Player 3.1.4
+
65009083bfa6a094 (app launched via XPMode)
+
7e4dca80246863e3 Control Panel (?)
+
83b03b46dcd30a0e iTunes 10
+
b0459de4674aab56 (.vmcx)
+
  
 +
=== AutomaticDestinations ===
 +
The AutomaticDestinations Jump List files are located in the user profile path:
  
{{Windows}}
+
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 +
 
 +
Files: *.automaticDestinations-ms
 +
 
 +
==== Structure ====
 +
The AutomaticDestinations Jump List files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
 +
* hexadecimal numbered, e.g. "1a"
 +
* DestList
 +
 
 +
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut (LNK)]]. One could extract all the streams and analyze them individually with a LNK parser.
 +
 
 +
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x48
 +
| 16 bytes
 +
| NetBIOS name of the system; padded with zeros to 16 bytes
 +
|-
 +
| 0x58
 +
| 8 bytes
 +
| Stream number; corresponds to the numbered stream within the jump list
 +
|-
 +
| 0x64
 +
| 8 bytes
 +
| Last modification time, contains a [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] structure
 +
|-
 +
| 0x70
 +
| 2 bytes
 +
| Path string size, the number of characters (UTF-16 words) of the path string
 +
|-
 +
| 0x72
 +
| ...
 +
| Path string
 +
|-
 +
|}
 +
 
 +
=== CustomDestinations ===
 +
The CustomDestinations Jump List files are located in the user profile path:
 +
 
 +
Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
 +
 
 +
Files: *.customDestinations-ms
 +
 
 +
==== Structure ====
 +
CustomDestinations Jump List files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
 +
 
 +
== See also ==
 +
* [[List of Jump List IDs]]
 +
* [[OLE Compound File]]
 +
* [[Windows]]
 +
 
 +
== External Links ==
 +
* [http://www.codeproject.com/Articles/36561/Windows-7-Goodies-in-C-Jump-Lists Windows 7 Goodies in C++: Jump Lists], by [[Michael Dunn]], May 19, 2009
 +
* [http://mikeahrendt.blogspot.ch/2011/04/jump-lists-in-windows-7-and-possible.html Jump Lists in Windows 7 and Possible Forensic Implementations], by [[Mike Ahrendt]], April 3, 2011
 +
* [http://www.alexbarnett.com/jumplistforensics.pdf The Forensic Value of the Windows 7 Jump List], by [[Alexander G Barnett]], April 18, 2011
 +
* [http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public Forensic Examination of Windows 7 Jump Lists], by [[Troy Larson]], June 6, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], August 17, 2011
 +
* [http://windowsir.blogspot.ch/2011/08/jump-list-analysis-pt-ii.html Jump List Analysis, pt II], by [[Harlan Carvey]], August 24, 2011
 +
* [http://windowsir.blogspot.ch/2011/12/jump-list-analysis.html Jump List Analysis], by [[Harlan Carvey]], December 28, 2011
 +
* [http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ Forensic Analysis of Windows 7 Jump Lists], by [[Rob Lyness]], October 2012
 +
* [https://github.com/libyal/dtformats/blob/master/documentation/Jump%20lists%20format.asciidoc Jump lists format], by the [[dtFormats|dtFormats project]], July 2014
 +
* [http://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html Jump lists in depth (includes changes from Windows 10)], by [[Eric Zimmerman]], Feb 2016
 +
 
 +
== Tools ==
 +
* [[Belkasoft Evidence Center]]. One of functions of this tool is search (including carving) and analysis of jumplists. A wide list of applications is supported (Jump list IDs).
 +
* [http://tzworks.net/prototype_page.php?proto_id=20 TZWorks LLC: Windows Jump List Parser (jmp)]. Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
 +
* [http://www.woanware.co.uk/?p=265 Woanware: JumpLister]. Tool to view the information within the numbered streams of each autodest file.
 +
* [[plaso]]
 +
* [https://github.com/EricZimmerman/JumpList JumpList]. Parser written in C# with support thru Windows 10 jump lists
 +
* [https://github.com/EricZimmerman/JLECmd JLECmd]. Command line tool using the above parser
 +
 
 +
[[Category:Windows]]

Latest revision as of 06:32, 14 June 2019

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files
  • Explorer StartPage2 ProgramsCache Registry values

AutomaticDestinations

The AutomaticDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure

The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:

  • hexadecimal numbered, e.g. "1a"
  • DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut (LNK). One could extract all the streams and analyze them individually with a LNK parser.

The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes Last modification time, contains a FILETIME structure
0x70 2 bytes Path string size, the number of characters (UTF-16 words) of the path string
0x72 ... Path string

CustomDestinations

The CustomDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Files: *.customDestinations-ms

Structure

CustomDestinations Jump List files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

See also

External Links

Tools

  • Belkasoft Evidence Center. One of functions of this tool is search (including carving) and analysis of jumplists. A wide list of applications is supported (Jump list IDs).
  • TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
  • Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.
  • plaso
  • JumpList. Parser written in C# with support thru Windows 10 jump lists
  • JLECmd. Command line tool using the above parser