![]() All that is required of the forensic analyst is to determine the software application associated with a Jump List AppID. AppIDs are unique identifiers which are universal across all Windows systems (SANS Forensics 408 Windows Forensic Analysis Volume 4, Core Windows Forensics Part III 2014, 27-28). Jump Lists are associated with software applications through Application IDs ( App IDs). Custom Destinations can also contain a series of LNK entries for files opened using the software application (13Cubed 2017). Custom Destinations have the file extension. The DestList stream acts as a Most Recent Used (MRU) list for files opened from the software application (13Cubed 2017).Ĭustom Destinations have application specific features which can vary based on the developer’s decision to implement the features. Within Automatic Destinations, each stream contains an embedded LNK entry which can be extracted and parsed. Automatic Destinations are compound files which contain multiple data streams within the single file. Automatic Destinations contain the file extension. There are two variations of Jump Lists – Automatic Destinations and Custom Destinations.Īutomatic Destinations contain features which are common across all software applications. Microsoft Word) and a list of recent documents associated with the software application would be displayed (SANS Forensics 408 Windows Forensic Analysis Volume 4, Core Windows Forensics Part III 2014, 25). To access a Jump List, the user would right-click the software application from the task bar (i.e. ![]() Jump Lists are software application specific in that they record files opened from a specific software application. Jump Lists are automatically created by Windows to allow users to ‘jump to’ or access items they frequently or recently accessed. Jump Lists were introduced with the release of Windows 7. While a deleted file which was previously opened (generating a LNK file) on the system no longer exists, the system may retain the LNK file recorded to access the deleted file. The identification of files which no longer exist on a local machine. ![]() The user knowledge of specific files opened whether those files were stored on the local system, attached removable devices, or network storage. The information contained in LNK files are invaluable to forensic analysts in investigating user file activity (FOR500 Windows Forensic Analysis Textbook, Volume 3 Core Windows Forensics II: USB Devices and Shell Items 2018, 13) including:Ī USB investigation to identify files opened from a specific removable USB device but never saved locally to the system. Windows generated LNK files are stored in the folder C:\Users\\AppData\Roaming\Microsoft\Windows\Recent. LNK files are user profile specific in that LNK files are recorded per user on the system. Whether the target is stored on a local or remote system. The system name, volume name, volume serial number, and sometimes the MAC address of the system where the target is stored. The Attributes associated with the target file (i.e. Timestamps for both the target file and the LNK file itself. The original file system path where the target file is stored. Some of these pieces of information include: Within a LNK file, Windows records several pieces of information about the target file of which the LNK file is designed to access (13Cubed 2017). Windows creates these LNK files on a frequent basis and their creation is performed in the background without the explicit knowledge of the user. In addition to user created LNK files, the Windows operating system automatically creates LNK files when a user opens a non-executable file or document. Shortcut files are most often referred to as Link files by forensic analysts based on their. A shortcut file is a small file which has information used to access or point to another file (Lee, FOR500 Windows Forensic Analysis Textbook, Volume 3 Core Windows Forensics II: USB Devices and Shell Items 2018, 8). Windows users can create shortcut files on the systems they use. Since Windows 7, Jump Lists and LNK Files have been a valuable source for computer user activity to forensic investigators. ![]() Tools: Magnet Forensics AXIOM version 4.7
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |