Understanding and Demonstrating working of Jumplists

 

To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool.

Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7.

For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic.

There are two sets created for storing jumplists in windows:

AutomaticDestinations

This is automatically generated by Operating System when any file or application opened. The files stored in it, has .automaticDesinations-ms extension. To access this file we need to go through the following path.

C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

CustomDestinations

This is used for storing the jumplists which is created when the user pins a file or application. The files stored in it, has .customDesinations-ms extension. To access this file we need to go through the following path.

C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

We can get useful information from these files by using following tools:

  • JLECmd (Jump List Parser) by Eric Zimmerman
  • JumpList Explorer (GUI based Jump List viewer) by Eric Zimmerman
  • JumpListsView by NirSoft

JumpListsView is a basic tool that displays the information stored by the Jump Lists files. 

JumpListView_Tool

We can also be save these information in file or make html report for data forensics purpose.

JumpListsView Saving

Comments

Post a Comment

Popular posts from this blog

Basics Forensics Imaging with dd, dcfldd, and dc3dd

Image
  Linux Data acquiring commands DD (Data Dump) dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes. Some practical examples on dd command: To backup the entire hard disk:  To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.      # dd if=/dev/sda of=/dev/sdb      'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully. To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.     # dd if=/dev/sda of=/dev/sdb conv=noerror, sync To backup a Partition: You can use the device name of a partition in the input data file, and into the output data either you will be able ...
Read more

Study and install Pro-discover and Encase free version

Image
  Pro-discover Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation. Some key features of Pro-discover includes: Preview and Image Disks Investigate all filesystems Analyse email artifacts and web Report generation (hash value or automatic) View Internet History You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button. Standard format of Project Number is like  '001-HDD-1-27-07-2022'  and Project File Name is  'SampleDemo-001-HDD-1-27-07-2022'. Then click on the Capture and Add Image which is in the left h...
Read more