Investigating Forensics Values of Windows Jump Lists Data

Ahmad Ghafarian

Abstract


Starting with Windows 7, Microsoft introduced a new feature to the Windows Operating Systems called Jump Lists. Jump Lists stores information about user activities on the host machine. These activities may include links to the recently visited web pages, applications executed, or files processed. Computer forensics investigators may find traces of misuse in Jump Lists auto saved files. In this research, we investigate the forensics values of Jump Lists data. Specifically, we use several tools to view Jump Lists data on a virtual machine. We show that each tool reveal certain types of information about user’s activity on the host machine. This paper also presents a comparative analysis of the tools’ performances. In addition, we suggest different method of viewing contents of hidden folders, present another approach for deleting files from hidden folders, and propose an innovative way of gaining access to application identification numbers (AppIDs.)

Keywords


Windows 7, Jump Lists, operating systems, computer forensics tools, virtual machine, VM

Full Text:

PDF

References


Acesoft (2014). Track Eraser software. Retrieved from http://www.acesoft.net/download.htm

Barnett, A. (2011). The Forensics Value of the Windows 7 Jumplist, Purdue University. Retrieved from http://www.alexbarnett.com/jumplistforensics.pdf

Cowen, D. (2011), Jump Lists Forensics: AppIDs Part 1 & 2, retrieved from http://www.4n6k.com/2011/09/jump-list-forensics-appids-part-1.html

Forensics Focus (2011). Windows Jumplist parser (Jmp). Retrieved from http://www.forensicfocus.com/Forums/viewtopic/t=9316/

FtpArmy (2011). Jumplist File Extract. Retrieved from http://ftparmy.com/143017-jumplist-file-extract.html

Harvey, H. (2011), Windows Incident Response, retrieved from http://windowsir.blogspot.com/2011/08/jump-list-analysis.html

Larson, T. (2011). Forensics Analysis of Windows 7 Jump Lists, retrieved from http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public#

Madalina, M. (2014). “How to create your own Windows 7 and 8.1 Jump Lists using Jumplists Launcher. Rretrieved 4/from http://en.www.ali.dj/jumplist-launcher/

NirSoft (2013). JumpListsView. Retrieved from http://www.nirsoft.net/utils/ jump_lists_view.html

Roblyness, T. (2012), Forensics Analysis of Windows 7 Jump Lists. retrieved from http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/

vmWare Virtualization for desktop. Retrieved from http://www.vmware.com/

Wiki. List of Jumplist IDs, retrieved from http://www.forensicswiki.org/wiki/ List_of_Jump_List_IDs

WoanWare (2012). Jumplister info, retrieved from http://www.woanware.co.uk/forensics/jumplister.html


Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law