SlideShare a Scribd company logo
1 of 32
Forensic Examination of
Windows 7 Jump Lists
Troy Larson
Principal Forensics Program Manager
TWC Network Security Investigations
NSINV-R3– Research|Readiness|Response
Windows 7 Jump Lists
• . . . users should be able to “jump” directly to those things they want to work with and start
working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar
introduces the concept of “Jump Lists.”
• . . . think of Jump Lists as your own mini Start Menu for your application.
http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
Windows 7 Jump Lists
Ramifications for forensic investigations:
– History of items opened or modified by a particular application.
• Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts.
• But not based on shortcut (.LNK) files or registry stores.
– Distinctive features:
• Lists of MRU or MFU items organized by application.
• List can retain several hundred items.
• Items may remain on a list after their target is deleted from the volume.
• Although items can be deleted from the lists, deletions can be detected.
• Only a few items shown for any list; list can have hundreds more items than are shown.
Windows 7 Jump Lists
Jump Lists are likely to be worth investigating in detail, when:
– A user’s historic activity is at issue.
• What files, SharePoint sites, or Web pages have been opened or accessed.
– There is a concern that data files have been deleted or moved.
– To show knowledge or intent.
– Search term hits occur within Jump List files.
Windows 7 Jump Lists
Destinations
(“nouns”)
Tasks
(“verbs”)
Known categories
Custom categories
User Tasks
Taskbar Tasks
Pinned category
Windows 7 Jump Lists
Destinations
(“nouns”)
Tasks
(“verbs”)
Known categories
Custom categories
User Tasks
Taskbar Tasks
Pinned category
User tasks and destinations are forms of links.
Windows 7 Jump Lists
Jump List content is derived
from two data files.
– “Destination” files.
• [AppID]automaticDestinations-ms
• [AppID]customDestinations-ms
Windows 7 Jump Lists
• Automatic Destinations:
– List of “destinations.”
– Automatically populated by the system.
– Based on calls to SHAddToRecentDocs.
• Collects information about data file usage.
• Records information in the Recent Items folder, and the “using” application’s automatic destination
file.
• Sorted by recency (MRU) or frequency (MFU).
C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations
• Custom Destinations:
– List of “destinations.”
– Content maintained by the application.
• Custom categories.
• Tasks specific to the application.
– Specified by the application using the ICustomDestinationList API.
C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
Windows 7 Jump Lists
Windows 7: Recent folder.
– AutomaticDestinations folder.
– CustomDestinations folder.
– Shortcut (.lnk) files.
Windows 7 Jump Lists
Windows 7 Jump Lists
Windows 7 Jump Lists
Note:
– More automatic destination files.
– Matched pairs share the same AppID
– Custom destinations have temporary files.
And so on.
Windows 7 Jump Lists
• AppID is based on the process name or can be
specified by the application.
– Different command arguments for the same
application may result in different AppIDs.
• Applications can have more than one AppID.
– The same process (with same command argument)
should have the same AppID across systems.
• AppID can be used to identify the application owning a
destination file.
• Permits the investigator to selectively investigate destination
files.
Windows 7 Jump Lists
AppID Application
1b4dd67f29cb1962 Explorer (task bar folder icon)
1bc392b8e104a00e Remote Desktop
23646679aaccfae0 Adobe Reader 9 x64
271e609288e1210a Access 2010 x86
28c8b86deab549a1 Internet Explorer x86
290532160612e071 WinRar x64
2b53c4ddf69195fc Zune x64
3094cdb43bf5e9c2 OneNote 2010 x86
5da8f997fd5f9428 Internet Explorer x64
74d7f43c1561fc1e Windows Media Player
9839aec31243a928 Excel 2010 x86
9b9cdc69c1c24e2b Notepad x64
9c7cc110ff56d1bd PowerPoint 2010 x86
a7bd71699cd38d1c Word 2010 x86
b8c29862d9f95832 InfoPath 2010 x86
b91050d8b077a4e8 Windows Media Center x64
be71009ff8bb02a2 Outlook x86
d64d36b238c843a3 InfoPath 2010 x86
e36bfc8972e5ab1d XPS Viewer
Some AppIDs for common applications
Windows 7 Jump Lists
Anatomy of the custom destination file.
– One or more streams in the shell link file format.
http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
Windows 7 Jump Lists
Anatomy of the automatic destination file.
– Structured Storage format.
http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx
– Containing one or more streams in the shell link file format.
Windows 7 Jump Lists
Anatomy of the automatic destination file in a structured storage viewer: OffVis.
Windows 7 Jump Lists
Anatomy of the
automatic
destination file in a
structured storage
viewer: SS.exe.
• Streams.
• Higher
number=more
recent or more
frequent.
Windows 7 Jump Lists
Anatomy of the
automatic
destination file in a
structured storage
viewer:
• DestList.
• Order of
presentation on
the jump list.
Windows 7 Jump Lists
Analysis of Custom Destination Files
• Review the series of shell link
items in a hex editor.
Or
• Carve and parse:
– Using a hex editor, carve out each
shell link item, saving each to a
separate file.
– Use a link file parser to review the
extracted shell link streams.
– Some streams may not be complete
shell items, e.g. paths.
Analysis of Automatic Destination Files
• Parse the file with a structured
storage viewer and review the 1)
stream enumeration and 2) shell
link streams.
Or
• Carve and parse:
– Using structured storage parser/viewer,
extract each stream to a separate file.
– Review the DestLisk with a hex editor.
– Use a link file parser to review the
extracted shell link streams.
Windows 7 Jump Lists
Carve and parse: Custom destination file.
. . .
Carve shell link item
and copy or export to
file.
Windows 7 Jump Lists
Carve and
parse: Custom
destination file.
010 Editor with
LNK template.
Windows 7 Jump Lists
Carve and parse: Custom
destination file.
– File properties of the
extracted shell link
item.
Windows 7 Jump Lists
Carve and parse: Automatic Destination Files.
MiTec’s Structured Storage Viewer.
http://www.mitec.cz/ssv.html
Windows 7 Jump Lists
Carve and parse: Automatic Destination Files.
MiTec’s Windows File Analyzer.
http://www.mitec.cz/wfa.html
Windows 7 Jump Lists
Items can be removed from a list. Removed items will leave gaps in
the number sequence of the streams in the automatic destination file.
Stream list from
MiTec’s Structured
Storage Viewer.
Windows 7 Jump Lists
OffVis:
– Defragment the file
– Reparse to identify deleted items.
21
Windows 7 Jump Lists
OffVis:
= deleted items.
Windows 7 Jump Lists
Stream of a list item.
Windows 7 Jump Lists
Stream of a removed item.
Windows 7 Jump Lists
Quick review-automatic and custom destination files.
– Jumplist File Extract.
– http://www.regdat.com/
Windows 7 Jump Lists

More Related Content

What's hot

Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systemsprimeteacher32
 
Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend MicroAymen Mami
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Topic #3 of outline Server Environment.pptx
Topic #3 of outline Server Environment.pptxTopic #3 of outline Server Environment.pptx
Topic #3 of outline Server Environment.pptxAyeCS11
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...MasterCode.vn
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Cara install mac os di vmware
Cara install mac os di vmware Cara install mac os di vmware
Cara install mac os di vmware cadtoer7
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware ResistanceFlorian Roth
 
Flink Case Study: Capital One
Flink Case Study: Capital OneFlink Case Study: Capital One
Flink Case Study: Capital OneFlink Forward
 
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Flink Forward
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Delta Lake Streaming: Under the Hood
Delta Lake Streaming: Under the HoodDelta Lake Streaming: Under the Hood
Delta Lake Streaming: Under the HoodDatabricks
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 

What's hot (20)

Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend Micro
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Topic #3 of outline Server Environment.pptx
Topic #3 of outline Server Environment.pptxTopic #3 of outline Server Environment.pptx
Topic #3 of outline Server Environment.pptx
 
Nzitf Velociraptor Workshop
Nzitf Velociraptor WorkshopNzitf Velociraptor Workshop
Nzitf Velociraptor Workshop
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...
Bài 8: Triᝃn khai bảo mật s᝭ d᝼ng chính såch nhóm (Group policy) - Giåo trÏnh...
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Cara install mac os di vmware
Cara install mac os di vmware Cara install mac os di vmware
Cara install mac os di vmware
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
Flink Case Study: Capital One
Flink Case Study: Capital OneFlink Case Study: Capital One
Flink Case Study: Capital One
 
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Delta Lake Streaming: Under the Hood
Delta Lake Streaming: Under the HoodDelta Lake Streaming: Under the Hood
Delta Lake Streaming: Under the Hood
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 

Viewers also liked

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Nra
NraNra
NraCTIN
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
G Infomgnt
G InfomgntG Infomgnt
G InfomgntCTIN
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheetWilliam McIntosh
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallationHarleen Johal
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 

Viewers also liked (20)

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Nra
NraNra
Nra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallation
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 

Similar to Windows 7 forensics jump lists-rv3-public

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Keiichiro Ono
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisSebastiano Panichella
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxnorwinadriatico
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLiMiroslav Stampar
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityTeamstudio
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in DetailDamian T. Gordon
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 

Similar to Windows 7 forensics jump lists-rv3-public (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
Cytoscape Tutorial Session 1 at UT-KBRIN Bioinformatics Summit 2014 (4/11/2014)
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in Detail
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 

More from CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking OverviewCTIN
 
M Compevid
M CompevidM Compevid
M CompevidCTIN
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 

More from CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Raidprep
RaidprepRaidprep
Raidprep
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Windows 7 forensics jump lists-rv3-public

  • 1. Forensic Examination of Windows 7 Jump Lists Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Windows 7 Jump Lists • . . . users should be able to “jump” directly to those things they want to work with and start working with them in a single mouse click. To provide this functionality, Windows 7 Taskbar introduces the concept of “Jump Lists.” • . . . think of Jump Lists as your own mini Start Menu for your application. http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
  • 3. Windows 7 Jump Lists Ramifications for forensic investigations: – History of items opened or modified by a particular application. • Similar to other Most Recently Used (MRU) or Most Frequently Used (MFU) artifacts. • But not based on shortcut (.LNK) files or registry stores. – Distinctive features: • Lists of MRU or MFU items organized by application. • List can retain several hundred items. • Items may remain on a list after their target is deleted from the volume. • Although items can be deleted from the lists, deletions can be detected. • Only a few items shown for any list; list can have hundreds more items than are shown.
  • 4. Windows 7 Jump Lists Jump Lists are likely to be worth investigating in detail, when: – A user’s historic activity is at issue. • What files, SharePoint sites, or Web pages have been opened or accessed. – There is a concern that data files have been deleted or moved. – To show knowledge or intent. – Search term hits occur within Jump List files.
  • 5. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category
  • 6. Windows 7 Jump Lists Destinations (“nouns”) Tasks (“verbs”) Known categories Custom categories User Tasks Taskbar Tasks Pinned category User tasks and destinations are forms of links.
  • 7. Windows 7 Jump Lists Jump List content is derived from two data files. – “Destination” files. • [AppID]automaticDestinations-ms • [AppID]customDestinations-ms
  • 8. Windows 7 Jump Lists • Automatic Destinations: – List of “destinations.” – Automatically populated by the system. – Based on calls to SHAddToRecentDocs. • Collects information about data file usage. • Records information in the Recent Items folder, and the “using” application’s automatic destination file. • Sorted by recency (MRU) or frequency (MFU). C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations • Custom Destinations: – List of “destinations.” – Content maintained by the application. • Custom categories. • Tasks specific to the application. – Specified by the application using the ICustomDestinationList API. C:Users[Profile]AppDataRoamingMicrosoftWindowsRecentCustomDestinations
  • 9. Windows 7 Jump Lists Windows 7: Recent folder. – AutomaticDestinations folder. – CustomDestinations folder. – Shortcut (.lnk) files.
  • 10. Windows 7 Jump Lists
  • 11. Windows 7 Jump Lists
  • 12. Windows 7 Jump Lists Note: – More automatic destination files. – Matched pairs share the same AppID – Custom destinations have temporary files. And so on.
  • 13. Windows 7 Jump Lists • AppID is based on the process name or can be specified by the application. – Different command arguments for the same application may result in different AppIDs. • Applications can have more than one AppID. – The same process (with same command argument) should have the same AppID across systems. • AppID can be used to identify the application owning a destination file. • Permits the investigator to selectively investigate destination files.
  • 14. Windows 7 Jump Lists AppID Application 1b4dd67f29cb1962 Explorer (task bar folder icon) 1bc392b8e104a00e Remote Desktop 23646679aaccfae0 Adobe Reader 9 x64 271e609288e1210a Access 2010 x86 28c8b86deab549a1 Internet Explorer x86 290532160612e071 WinRar x64 2b53c4ddf69195fc Zune x64 3094cdb43bf5e9c2 OneNote 2010 x86 5da8f997fd5f9428 Internet Explorer x64 74d7f43c1561fc1e Windows Media Player 9839aec31243a928 Excel 2010 x86 9b9cdc69c1c24e2b Notepad x64 9c7cc110ff56d1bd PowerPoint 2010 x86 a7bd71699cd38d1c Word 2010 x86 b8c29862d9f95832 InfoPath 2010 x86 b91050d8b077a4e8 Windows Media Center x64 be71009ff8bb02a2 Outlook x86 d64d36b238c843a3 InfoPath 2010 x86 e36bfc8972e5ab1d XPS Viewer Some AppIDs for common applications
  • 15. Windows 7 Jump Lists Anatomy of the custom destination file. – One or more streams in the shell link file format. http://msdn.microsoft.com/en-us/library/dd871305(v=prot.10).aspx
  • 16. Windows 7 Jump Lists Anatomy of the automatic destination file. – Structured Storage format. http://msdn.microsoft.com/en-us/library/aa380369(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/dd942138(v=prot.13).aspx – Containing one or more streams in the shell link file format.
  • 17. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: OffVis.
  • 18. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: SS.exe. • Streams. • Higher number=more recent or more frequent.
  • 19. Windows 7 Jump Lists Anatomy of the automatic destination file in a structured storage viewer: • DestList. • Order of presentation on the jump list.
  • 20. Windows 7 Jump Lists Analysis of Custom Destination Files • Review the series of shell link items in a hex editor. Or • Carve and parse: – Using a hex editor, carve out each shell link item, saving each to a separate file. – Use a link file parser to review the extracted shell link streams. – Some streams may not be complete shell items, e.g. paths. Analysis of Automatic Destination Files • Parse the file with a structured storage viewer and review the 1) stream enumeration and 2) shell link streams. Or • Carve and parse: – Using structured storage parser/viewer, extract each stream to a separate file. – Review the DestLisk with a hex editor. – Use a link file parser to review the extracted shell link streams.
  • 21. Windows 7 Jump Lists Carve and parse: Custom destination file. . . . Carve shell link item and copy or export to file.
  • 22. Windows 7 Jump Lists Carve and parse: Custom destination file. 010 Editor with LNK template.
  • 23. Windows 7 Jump Lists Carve and parse: Custom destination file. – File properties of the extracted shell link item.
  • 24. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Structured Storage Viewer. http://www.mitec.cz/ssv.html
  • 25. Windows 7 Jump Lists Carve and parse: Automatic Destination Files. MiTec’s Windows File Analyzer. http://www.mitec.cz/wfa.html
  • 26. Windows 7 Jump Lists Items can be removed from a list. Removed items will leave gaps in the number sequence of the streams in the automatic destination file. Stream list from MiTec’s Structured Storage Viewer.
  • 27. Windows 7 Jump Lists OffVis: – Defragment the file – Reparse to identify deleted items. 21
  • 28. Windows 7 Jump Lists OffVis: = deleted items.
  • 29. Windows 7 Jump Lists Stream of a list item.
  • 30. Windows 7 Jump Lists Stream of a removed item.
  • 31. Windows 7 Jump Lists Quick review-automatic and custom destination files. – Jumplist File Extract. – http://www.regdat.com/
  • 32. Windows 7 Jump Lists