digital investigation - cyber forensicator...is done then entry would not appear in the list...

13
A forensic insight into Windows 10 Jump Lists Bhupendra Singh * , Upasna Singh Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India article info Article history: Received 22 December 2015 Received in revised form 16 February 2016 Accepted 18 February 2016 Available online xxx Keywords: Jump lists Windows forensics Windows 10 LNK le analysis DestList abstract The records maintained by Jump Lists have the potential to provide a rich source of evi- dence about usershistoric activity to the forensic investigator. The structure and artifacts recorded by Jump Lists have been widely discussed in various forensic communities since its debut in Microsoft Windows 7. However, this feature has more capabilities to reveal evidence in Windows 10, due to its modied structure. There is no literature published on the structure of Jump Lists in Windows 10 and the tools that can successfully parse the Jump Lists in Windows 7/8, do not work properly for Windows 10. In this paper, we have identied the structure of Jump Lists in Windows 10 and compared it with Windows 7/8. Further, a proof-of-concept tool called JumpListExt (Jump List Extractor) is developed on the basis of identied structure that can parse Jump Lists in Windows 10, individually as well as collectively. Several experiments were conducted to detect anti-forensic attempts like evidence destruction, evidence modication and evidence forging carried out on the records of Jump Lists. Furthermore, we demonstrated the type of artifacts recorded by Jump Lists of four popular web browsers with normal and private browsing mode. Finally, the forensic capability of Jump Lists in Windows 10 is demonstrated in terms of activity timeline constructed over a period of time using Jump Lists. © 2016 Elsevier Ltd. All rights reserved. Introduction Jump Lists as a new feature was introduced in July 2009 with the release of Windows 7 and continued in later versions of Windows including Windows 10. Jump Lists are created by software applications or Operating System so that the user can jumpdirectly to recently opened les and folders. The feature displays a limited number of items in Start or Taskbar, however, most of the recorded data is not displayed. In Windows 7/8, users can customize the number of Jump List items to be displayed by modifying the Registry value through regeditapplication (Lyness, 2012). However, there is no way to change the number of Jump List items to be displayed in Windows 10, as it is hard coded. Jump Lists maintain the records of recently accessed les and folders and group them as per application basis. Before the feature was introduced, forensic analysts had access to a short list of Most Recently Used (MRU) and Most Frequently Used (MFU) items in the Windows Registry (Lyness, 2012). Jump Lists can provide a lot more infor- mation about user's history and actions than MRU and MFU items. Jump Lists analysis can reveal useful information relating to les accesses, including the MRU and MFU list used by a user or application, le name, le path, MAC (Modied, Accessed, and Created) timestamps, volume name from which the le was accessed, and the history of uploaded and downloaded les through web browsers. These artifacts persist even after the les and their target applications are removed from the system (Larson, 2011). Since the release of Windows 7, the structure and arti- facts recovered from Jump Lists have been widely discussed in various forensic communities. Lallie and Bains (2012) presented the structure of Jump Lists in Windows 7. * Corresponding author. Tel.: þ919673095708. E-mail addresses: [email protected] (B. Singh), [email protected] (U. Singh). Contents lists available at ScienceDirect Digital Investigation journal homepage: www.elsevier.com/locate/diin http://dx.doi.org/10.1016/j.diin.2016.02.001 1742-2876/© 2016 Elsevier Ltd. All rights reserved. Digital Investigation 17 (2016) 1e13

Upload: others

Post on 10-Apr-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

A forensic insight into Windows 10 Jump Lists

Bhupendra Singh*, Upasna SinghDept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India

a r t i c l e i n f o

Article history:Received 22 December 2015Received in revised form 16 February 2016Accepted 18 February 2016Available online xxx

Keywords:Jump listsWindows forensicsWindows 10LNK file analysisDestList

a b s t r a c t

The records maintained by Jump Lists have the potential to provide a rich source of evi-dence about users’ historic activity to the forensic investigator. The structure and artifactsrecorded by Jump Lists have been widely discussed in various forensic communities sinceits debut in Microsoft Windows 7. However, this feature has more capabilities to revealevidence in Windows 10, due to its modified structure. There is no literature published onthe structure of Jump Lists in Windows 10 and the tools that can successfully parse theJump Lists in Windows 7/8, do not work properly for Windows 10. In this paper, we haveidentified the structure of Jump Lists in Windows 10 and compared it with Windows 7/8.Further, a proof-of-concept tool called JumpListExt (Jump List Extractor) is developed onthe basis of identified structure that can parse Jump Lists in Windows 10, individually aswell as collectively. Several experiments were conducted to detect anti-forensic attemptslike evidence destruction, evidence modification and evidence forging carried out on therecords of Jump Lists. Furthermore, we demonstrated the type of artifacts recorded byJump Lists of four popular web browsers with normal and private browsing mode. Finally,the forensic capability of Jump Lists in Windows 10 is demonstrated in terms of activitytimeline constructed over a period of time using Jump Lists.

© 2016 Elsevier Ltd. All rights reserved.

Introduction

Jump Lists as a new feature was introduced in July 2009with the release of Windows 7 and continued in laterversions of Windows includingWindows 10. Jump Lists arecreated by software applications or Operating System sothat the user can “jump” directly to recently opened filesand folders. The feature displays a limited number of itemsin Start or Taskbar, however, most of the recorded data isnot displayed. In Windows 7/8, users can customize thenumber of Jump List items to be displayed bymodifying theRegistry value through ‘regedit’ application (Lyness, 2012).However, there is no way to change the number of JumpList items to be displayed in Windows 10, as it is hardcoded.

Jump Lists maintain the records of recently accessedfiles and folders and group them as per application basis.Before the feature was introduced, forensic analysts hadaccess to a short list of Most Recently Used (MRU) andMostFrequently Used (MFU) items in the Windows Registry(Lyness, 2012). Jump Lists can provide a lot more infor-mation about user's history and actions thanMRU andMFUitems. Jump Lists analysis can reveal useful informationrelating to files accesses, including the MRU and MFU listused by a user or application, file name, file path, MAC(Modified, Accessed, and Created) timestamps, volumename from which the file was accessed, and the history ofuploaded and downloaded files through web browsers.These artifacts persist even after the files and their targetapplications are removed from the system (Larson, 2011).

Since the release of Windows 7, the structure and arti-facts recovered from Jump Lists have beenwidely discussedin various forensic communities. Lallie and Bains (2012)presented the structure of Jump Lists in Windows 7.

* Corresponding author. Tel.: þ919673095708.E-mail addresses: [email protected] (B. Singh),

[email protected] (U. Singh).

Contents lists available at ScienceDirect

Digital Investigation

journal homepage: www.elsevier .com/locate/d i in

http://dx.doi.org/10.1016/j.diin.2016.02.0011742-2876/© 2016 Elsevier Ltd. All rights reserved.

Digital Investigation 17 (2016) 1e13

Page 2: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

Smith (2013) described a methodology to identify fraudu-lent documents using Jump Lists. There are many tools(Woan, 2013; MiTec, 2010; NirSoft, 2013; TZWorks, 2013)available to parse and view Jump Lists in Windows 7 andWindows 8, but none of them could successfully parseJump Lists in Windows 10 as few fields in DestList streamare modified or added in Windows 10.

In this paper, we identified the new structure of JumpLists in Windows 10 and compared it with existing ones.Further, a software tool, JumpListExt is developed to viewand parse the Jump Lists based on the identified structure.Several experiments are carried out to demonstrate theimportance of Jump Lists in a forensic investigation. Theresults show that a forensic timeline of user activities canbe constructed by aggregating data extracted from all JumpLists. The results also demonstrate that if any deletion ordeliberate tampering is done in a Jump List file, then tracesof such anti-forensic activities can be identified.

Motivation and research method

Though, there is limited literature published on thestructure of DestList stream in Windows 7/8, we could notfind any work related to new DestList stream structure inWindows 10. Also, none of the existing tools could suc-cessfully parse the Jump Lists in Windows 10.

For studying Jump Lists, the research method used inthis paper is based on observations and experiments. Foridentifying the Jump List structure, different experimentswere conducted and the identified structure is comparedwith the existing ones. Based on the identified structure, aproof-of-concept tool, called JumpListExt has been devel-oped to parse the Jump Lists in Windows 10. Several ex-periments were conducted on four test computers:desktop, laptop and a virtual machine runningWindows 10Pro and other desktop running Windows 7 Professional. Anumber of activities on each computer were performed likeinstalling and uninstalling applications; creating, deletingand accessing files with these applications; visiting

websites, downloading and uploading files through webbrowsers and web searches using Cortana. These activitieswere performed on each computer in random order tocreate Jump List files. These test Jump Lists were thenparsed using JumpListExt and conclusions drawn on thebasis of observations are discussed in Experiments section.In addition to this, Jump Lists from several other computerswere collected and parsed to evaluate the consistency ofJump List structure and to validate conclusions.

Identifying Windows 10 Jump List structure

Two types of Jump Lists are created within user's profileby Operating System or applications when a user performscertain actions. One is automaticDestinations-ms (autoD-est) files in AutomaticDestinations subdirectory and theother is customDestinations-ms (custDest) files in Cus-tomDestinations subdirectory. The full path to both types ofJump Lists are as follows:

� AutoDest: %UserProfile%yAppDatayRoamingyMicrosoftyWindowsyRecentyAutomaticDestinations

� CustDest: %UserProfile%yAppDatayRoamingyMicrosoftyWindowsyRecentyCustomDestinations

These are hidden files and clicking through the directorystructure using Windows Explorer will not reveal them.

Fig. 1. Location of automaticDestinations-ms files in Windows 10.

Table 1New applications with their AppIDs in Windows 10.

AppID Application name

5f7b5f1e01b83767 Quick Access4cb9c5750d51c07f Movies & TV (Windows Store App)a52b0784bd667468 Photos (Windows Store App)ae6df75df512bd06 Groove Music (Windows Store App)f01b4d95cf55d32a File Explorer Windows 8.1/109d1f905ce5044aee Microsoft Edge Browser

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e132

Page 3: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

These files can be viewed in Windows Explorer by enteringthe full path as the location. Fig. 1 shows the location ofautoDest files in Windows 10.

Each Jump List file is namedwith a 16-digit hexadecimalnumber called AppID (Application Identifier) followed byan extension automaticDestinations-ms orcustomDestinations-ms. AppIDs are calculated by Win-dows OS for individual applications based on the fileapplication path (Larson, 2011) and can be used to namethe applications. So if the AppID is known then it canprovide useful information for identifying the name of theapplication. Table 1 shows newly introduced applicationswith their AppIDs in Windows 10. The algorithm used tocreate the AppIDs is CRC-64 checksum obtained from theapplication path. It means that change in the path of anapplication to a non-default location would result in adifferent AppID (Lyness, 2012).

AutoDest Jump Lists

The autoDest files are Microsoft CFB (Compound FileBinary) format files, also known as OLE (Object Linking andEmbedding) files. AutoDest files are created by WindowsOS and each file's name consists of unique AppID followedby extension an ‘automaticDestinations-ms’. These files actas a container for individual hexadecimal numberedSHLLINK streams and a DestList stream. Each hexadecimalnumbered stream follows the structure similar toWindowsShortcut (LNK) file. Thus, artifacts from any hexadecimalstream can be extracted and viewed using any LNK parser(Parsonage, 2010). The DestList stream, which follows aparticular structure, records the order of file accesses andaccess count of each file that may serve as MRU and MFUlist, respectively. The DestList stream structure inWindows

7 andWindows 8 is same, however, it has been modified inWindows 10.

DestList structureTo the best of our knowledge, there is no published in-

formation available regarding the structure of DestListstream in Windows 10 Jump Lists, at the time of writingthis paper. Through various examinations conducted with ahex editor, we could confirm that the DestList streamstructure in Windows 10 is different from Windows 7 andWindows 8. It was possible to figure out the major portionsof DestList stream in Windows 10, however, the purpose offew areas remains unknown and may be identified further.

There are two portions of DestList stream: DestListheader and DestList Entry. DestList header (32 byteslength) records the useful information such as total numberof current Entries, last issue Entry ID number, pinned En-tries, and number of added/deleted/re-opened actions.Fig. 2 shows hexadecimal view of DestList header in Win-dows 10 followed by Table 2 which shows the comparisonof existing and identified DestList header structure.

Following the header, each Entry in the DestList has 130bytes as opposed to 114 bytes in Windows 7/8, plus a var-iable length Unicode string data. Majority of the new Entrystructure is same as in the earlier versions except few newfields and four additional null bytes added after variablelength Unicode string data. In the new Entry structure, 4bytes counter from offset 116 to 119 is added that recordsthe access count of the individual Entries. The Entry havingthe largest access count signifies the MFU item.

Fig. 3 shows hexadecimal view of DestList Entry struc-ture in Windows 10. In the example, the first 8 bytes (atoffset 15,676) is checksum or hash of Entry that ensures theintegrity of Entry data. If any change in Entry data (betweenthe first byte and the last byte before the Entry string data)

Fig. 2. DestList header structure in Windows 10.

Table 2Comparison of existing and identified DestList header structure.

Offset Size (bytes) Description

DestList header structure in Windows 7/8(Lyness, 2012; Lallie and Bains, 2012)

DestList header structure in Windows 10

0e3 4 Version number (value 1) Version number (value 3)4e7 4 Total number of current Entries Total number of current Entries8e11 4 Total number of pinned Entries Total number of pinned Entries12e15 4 Floating point value, some kind of counter Unknown value16e23 8 Last issued Entry ID number Last Issued Entry ID number24e31 8 Number of add/delete actions e increments as

Entries are added and deletedNumber of add/delete/re-open actions e also increments asEntries are added, deleted and existing Entries are re-opened

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 3

Page 4: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

is done then Entry would not appear in the list displayed instart/taskbar. Volume ID and Object ID are used to describethe file location at any point in time. By default NTFS em-beds two file locations (New and Birth) and both values aresame until file is moved from one volume to another.Windows OS creates 16 bytes Object ID to uniquely identifya file on a volume. The structure of Object ID can reveal theimportant artifacts such as timestamp of boot session (inGMT), sequence number (MFT Entry number) and MACaddress of the primary network card in the computer(Parsonage, 2010). At offset of 16 bytes from 15,748, thelocation is reserved for NetBIOS name padded with nullbytes. The next 4 bytes are reserved for Entry ID numberwhich is used to ascertain the order in which Entries wereadded to list. At offset of 8 bytes from 15,776 signifies thetimestamp (in GMT) of last recorded access of the Entry. Atoffset of 4 bytes from 15,792, is access count of the Entrywhich indicates the number of times the file was accessed.In the last portion of Entry structure is the variable lengthEntry string data followed by four null bytes that signifiesfull path to file. Table 3 shows the comparison of existingand identified DestList Entry structure.

CustDest Jump Lists

The custDest files are created by software applicationsand its name consists of unique AppID followed by anextension customDestinations-ms. These Jump Lists arespecified by the applications using ICustomDestinationList

API (Larson, 2011). As compared to autoDest files, these filesfollow different structure of sequential SHLLINK binaryformat. This type of Jump List files are limited in numberand created mainly by web browsers and Windows MediaPlayer. Web browsers create custDest files to record theuser's web history on the system. For example,969252ce11249fdd.customDestinations-ms file is created by

Mozilla Firefox that contains the timestamps and webhistory. Windows Media Player creates 74d7f43c1561fc1e.-customDestinations-ms file that records file path of playedmusic.

Designing parser for Windows 10 Jump Lists

This section describes the parsing method of both typesof Jump Lists in Windows 10. A Python-based GUI toolnamed as JumpListExt1 is developed based on this method,to parse individual Jump Lists. JumpListExt also has thefunctionality to parse and list aggregated data of all JumpLists files in Windows 10. There are two modules in thesource code,2 one for decoding LNK stream and the otherfor decoding DestList stream.

Parsing AutoDest Jump List

As discussed in section 3, autoDest files are OLE filesacting as a container for multiple SHLLINK streams and aDestList stream. Microsoft defined OLE files store multiplekind of objects within an object. For this, a simple fil-esystem like FAT is implemented within an OLE file. Asingle OLE file can be treated as a hierarchical collection ofstorage and stream objects that are analogous to directoriesand files, respectively (MSDN, 2015a). In Python 3.4, we canlist all stream objects in an OLE file by importing olefilepackage. Below is the snippet of listing of all stream objectsin an OLE file.

The code lists all LNK streams and a DestList streamavailable in the given AppID. A LNK stream starts with 4bytes signature 0x0000004C (decimal value 76) that

Fig. 3. DestList Entry structure in Windows 10.

1 https://sourceforge.net/projects/jumplistext/.2 https://sourceforge.net/p/jumplistext/code/ci/master/tree/.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e134

Page 5: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

represents the header size. DestList stream starts with 4bytes version number which is 0x00000003 (decimal value3) in Windows 10. Fig. 4 shows the flowchart for parsing anautoDest Jump List file.

Decoding LNK streamLNK streams can be decoded using any available LNK

parser as Microsoft has not modified its format inWindows10. Also, the description of LNK file structure is provided byMicrosoft in its Open Specifications Program for file for-mats (MSDN, 2015b). According to it, each LNK file consistsof a header block of 76 bytes, location information block,data strings block and optional extra blocks. The developedtool decodes Modified, Accessed and Created timestamps(in UTC) from LNK header; Drive Type, Serial Number andVolume Name from location information block and Local-BasePath from data strings block. In addition to this, a LNKfile may consist a link tracker properties data block thatcontains machine identifier, New and Birth Volume andObject IDs.

Volume and Object IDs fields are used to describe thelocation of a file at any point in time. Object ID is used touniquely identify a file or directory on a volume. All ObjectIDs are stored on the volume and not maintained on FATfilesystem. When a file is created on a NTFS filesystemwithan application, two Volume and two Object IDs (New andBirth) are embedded in the Jump List created by thatapplication. These two file locations are same until the fileis moved from one volume to another. Fig. 5 shows the twodifferent Volume IDs when the file has been moved fromone volume to other volume.

As shown in Fig. 5, after 16 bytes of New Volume ID, thenext 16 bytes describe Object ID that is UUID (UniversallyUnique Identifier) specification which is created using the

system time and system MAC address. Thus, decoding anObject ID can reveal these forensic artifacts. The structureof an Object ID is discussed in Table 4 with an example. Theprocess of decoding of Object ID back to system time issame as given by Parsonage (2010).

Decoding DestList streamIf the value of first four bytes of the stream in the

autoDest file is not 76, then it is DestList stream. DestListstream contains a header of 32 bytes followed by 130 bytesfixed structure plus a variable length Entry data for eachEntry in DestList. In Windows 10, header starts with0x00000003 (decimal value 3) that represents the versionnumber. From the header, total number of current Entriesand last issued Entry ID number can be extracted.Following the header, Entries are stored in sequential orderfollowing the structure presented in Table 3. The Volumeand Object IDs are also created for each Entry in its struc-ture and can be decoded as discussed above. We can iteratethe process of decoding Entry data for each Entry present inDestList stream.

Parsing CustDest Jump List

This type of Jump List files follows a different structureof sequential SHLLINK streams. These SHLLINK streams canbe extracted and parsed using the same module developedfor decoding LNK stream in autodest file.

Aggregating data of all Jump Lists

The developed tool also has the functionality of parsingall Jump List files and listing the aggregated data on userinterface. For aggregating the data, the tool first parses all

Table 3Comparison of existing and identified DestList Entry structure.

Offset Size (bytes) DestList entry structure in Windows 7/8(Lyness, 2012; Lallie and Bains, 2012)

Offset DestList entry structure in Windows 10

Description Size (bytes) Description

0e7 8 A checksum or hash of the Entry 0e7 8 A checksum or hash of the Entry8e23 16 New Volume ID 8e23 16 New Volume ID24e39 16 New Object ID 24e29 16 New Object ID40e55 16 Birth Volume ID 40e55 16 Birth Volume ID56e71 16 Birth Object ID 56e71 16 Birth Object ID72e87 16 NetBIOS Name padded with zero to

maximum length 16 bytes71e87 16 NetBIOS Name padded with zero to

maximum length 16 bytes88e95 8 Entry ID number 88e91 4 Entry ID number96e99 4 Floating point counter to record each

time the file is accessed notnecessarily opened

92e99 8 In all test ‘0x00 0x00 0x00 0x00’

100e107 8 MSFILETIME of last recorded access 100e107 8 MSFILETIME of last recorded access108e111 4 Entry pin status ‘0xFF 0xFF 0xFF 0xFF’

means unpinned, otherwise acounter starting at zero

108e111 4 Entry pin status ‘0xFF 0xFF 0xFF 0xFF’means unpinned, otherwise a counterstarting at zero

112e113 2 Length of Unicode string data 112e115 4 In all tests, ‘0xFF 0xFF 0xFF 0xFF’114- variable Entry string data 116e119 4 A counter that consistently increases as

files are re-opened (access count)120e127 8 In all test ‘0x00

0x00 0x00 0x00’128e129 2 Length of Unicode

string data130- variable Entry string data followed

by ‘0x00 0x00 0x00 0x00’

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 5

Page 6: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

autoDest files under the AutomaticDestinations directoryand then parses all custDest files under the Custom-Destinations directory. This parsed data from both type offiles is then aggregated and listed on user interface. If weparse all files, and select ‘Export’ option, the tool creates aSQLite database named as JumpListData.sqlite containingaggregated data in a table named Jump. The schematic di-agram of tool for aggregating data is shown in Fig. 6.

Experiments

Experiments were conducted in three main categories,namely, for detection of anti-forensic attempts carried outon the Jump Lists; for identifying the type of informationrecorded in Jump Lists of different web browsers in normal

and private browsing mode and finally to assimilate atimeline of user activities over a period of time using JumpLists. The detection of anti-forensic attempts have beendemonstrated for three possible cases, i.e., evidencedestruction (deleting Entries from Jump List), evidencemodification (modifying content of Jump List) and evidenceforging (forging Jump Lists of Windows 10 by Jump Lists ofWindows 7/8). The following subsections demonstrate thesaid experimental results.

Deleting entries from Jump List

For each Entry in autoDest Jump List, an Entry IDnumber is reserved in its DestList Entry structure. DestListheader contains total number of current Entries and the last

Fig. 5. Volume and Object IDs of a LNK stream in an autoDest Jump List.

Table 4Object ID structure.

Fig. 4. A Flowchart for parsing an autoDest Jump List.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e136

Page 7: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

issued Entry ID number to keep track of allocated Entries inJump List. In the last 8 bytes of DestList header, there is acounter that increments by two if a new Entry is created.However, counter increments by one if an existing Entry isopened or removed from the Jump List. Any Entry from theJump List can be removed by right clicking the mouse andselecting ‘Remove from this list’ option. If an Entry isdeleted from the Jump List, the deletion can be detected intwo ways:

� If the last issued Entry ID number is not equal to the totalnumber of current Entries in the Jump List.

� If one or more values in the numerical sequence of is-sued Entry ID number is missing.

Fig. 7 shows the DestList header of Microsoft Word 2013Jump List before deletion. It can be deduced that no Entry isremoved from the Jump List as total number of currentEntries and the last issued Entry ID number are same. FromFigure, it is also evident that few Entries are accessed more

than one time (access count >1) because if all 8 Entrieswere accessed only once then the counter value (number ofadd/delete/re-open actions) would have been 2� 8 ¼ 16while it is 39. We parsed this Jump List file (see Fig. 8) andthe access count of all Entries in DestList was added to be31. If the counter value is Z, the last issued Entry ID numberis L, then it was observed that the following equation willhold:

Z ¼ LþXen¼L

en¼1

Access Counten (1)

Where Access Counten is access count of Entry ID numberen.

To see the differences in the DestList header, weremoved the Entry ID number 6 from the Word 2013 JumpList. Fig. 9 shows the DestList header after deleting the saidEntry.

It can be observed that the counter value is incrementedby one after deletion and total number of current Entries

Fig. 6. Schematic diagram of aggregating data extracted from all Jump Lists.

Fig. 7. DestList header of Microsoft Word 2013 Jump List before deletion.

Fig. 8. Parsed output of Microsoft Word 2013 Jump List.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 7

Page 8: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

are now 7. If few Entries are removed from the Jump List,then number of deleted Entries (say D) can be calculated asD ¼ L� C where C is number of current Entries in the JumpList and access count of the deleted Entries can be calcu-lated using the Equation (2).

Z ¼ LþXen¼C

en¼1

Access Counten þ D (2)

Carving the deleted entriesWe observed that when an Entry is removed from the

Jump List, the size of DestList stream is reduced by the sizeof deleted Entry structure (130 bytes þ length of Unicodestring data). However, whole or part of LNK stream of thedeleted Entrymay still be present in Jump List. If whole LNKstream of the deleted Entry is available in the Jump List,then it can be carved by saving the LNK stream to a separatefile with extension LNK, using a hex editor. A Python-basedLNKParser.py script3 was developed for parsing the extrac-ted LNK files. If multiple Entries are removed from the Jump

List, the process can be repeated to carve the individualdeleted Entries. Fig. 10, shows the LNK stream of the EntryID number 6 before the Entry was removed. The size of thestream is 864 bytes starting from 4 bytes signature0x0000004 C at offset 9280 to offset 10,143.

Fig. 11 shows the LNK stream of Entry number 6 afterremoval of Entry. File header, link target identifier andlocation information elements are overwritten with thedata of existing Entries. However, the last 448 bytes are stillpresent in the Jump List including the data strings,distributed link tracker data properties and extra blocks.Since the LNK header is missing, the available blocks in LNKstream can be parsed manually.

Data string block in LNK file format records the Local-BasePath which signifies the basepath to target file. Thenext link tracker block starts with 4 byte signature0x00000060 (decimal value 96) containing 16 bytes formachine identifier, 16 bytes for New Volume ID,16 bytes forNewObject ID,16 bytes for Birth Volume ID and 16 bytes forBirth Object ID. From Volume and Object IDs, the time-stamp of boot session, sequence number and MAC addressof the system can be extracted as discussed in Designingparser for Windows 10 Jump Lists. Thus, we can detectand identify the deletions and can calculate the access

Fig. 10. Before deletion of an Entry from the Jump List.

Fig. 9. DestList header of Microsoft Word 2013 Jump List after deletion.

3 https://sourceforge.net/p/jumplistext/code/ci/master/tree/.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e138

Page 9: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

count of the deleted Entries using Equation (2). However,complete carving of the deleted Entries from Jump Lists isstill a forensic research challenge.

Modifying content of Jump List

This experiment was conducted to simulate the condi-tion in which the user of suspected system modifies thecontent of an autoDest Jump List in order to produce falseevidence. The modifications in the content of the Jump Listcan be done with the help of any hex editor. Two differentexperiments were performed to detect the modificationscarried out in the content of a LNK stream and DestListstream. For this, Notepad application was considered andnew text files were created and few existing text files wereopened from both fixed and removable media devices, thuscreating 9b9cdc69c1c24e2b.automaticDestinations-ms JumpList. In first experiment, the content of any LNK stream inthis Jump List was modified. The Fig. 12 shows the Volumename as SANDISK-USB and LocalBasePath asH:ysecret_text2.txt present in LNK stream. Now the Vol-ume name and LocalBasePath is modified as shown inFig. 13. In second experiment, the content of DestListstream was modified.

It was observed that when any modification in thecontent of the any Jump List is done, Windows creates abackup copy of that Jump List file with the same namefollowed by bak extension. Modifying the LNK stream

content does not affect list displayed in start/taskbar even ifwe change the whole data (except 4 bytes signature) ofindividual LNK streams. The snapshot of parsed data usingJumpListExt, shown in Fig. 14 is from modified9b9cdc69c1c24e2b.automaticDestinations-ms file. It wasalso observed that modifications done are not persistentand exist until the file is accessed again. Also, the modifi-cation traces are evidentiary if the whole LNK stream ismodified then it can be easily detected by the DestList dataof the same Entry ID number. However, if the part of thedata in LNK stream which cannot be constructed fromDestList stream, is modified then such modifications canonly be detected by moving to target file location andvalidating the metadata with the parsed metadata.

If we change any byte of the Entry data in DestListstream except the data string, then that item is not dis-played due to mismatch in checksum or hash value.Further, if any new files are accessed by the consideredapplication after such modifications, then no new Entrieswill be added in the Jump List. This provides the requisitemechanism to identify the modifications in the DestListstream.

Forging Jump Lists of Windows 10 by Jump Lists of Windows 7/8

This experiment was conducted to detect the conditionin which a user of suspected system replaces its Jump Lists

Fig. 12. Before modification of Volume name and LocalBasePath.

Fig. 13. After modification of Volume name and LocalBasePath.

Fig. 11. After deletion of the Entry from the Jump List.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 9

Page 10: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

from any benign system running same or different distri-butions of Windows OS, in order to mislead the forensicinvestigator. In this case, same version of an application(Adobe Reader 11.0) was installed at its default directory ontwo systems (one suspected and other benign) runningdifferent distributions of Windows OS. The suspected sys-tem was running Windows 10 Pro with computer name“john” while the other system was running Windows 7Professional with computer name “diat-hp”. On both thesystems, a series of activities were performed randomly bycreating new pdf files and opening the existing files withthis installed application to create ff103e2cc310d0d.auto-maticDestinations-ms file. This autodest Jump List file insuspected system was then replaced with the same JumpList created in Windows 7 system. Subsequently, few moreoperations were performed with the considered applica-tion in suspected system to see the changes in the replacedJump List file, which was then parsed through JumpListExtfor analysis.

Parsing LNK stream or DestList stream exposes themachine name and system MAC address, as Volume andObject IDs are maintained for each accessed file in LNKstream and DestList stream of Jump List. Fig. 15 shows theDestList data of the ff103e2cc310d0d.automaticDestinations-ms file with two different NetBIOS name. This informationcan easily reveal the possible forgery of Jump Lists in asuspected system. However, if the files are accessed fromremovable media devices (FAT filesystem) then it is difficultto identify forgery frommachine name andMAC address asVolume and Object IDs are not maintained on FAT fil-esystem. Further, was observed that no item is displayed instart/taskbar of the suspected system until we perform atleast one operation with the application under consider-ation. However, in a different experiment with both sys-tems running same OS (Windows 10 Pro), replacing the

Jump List of an application in system1 with Jump List ofsame name in system2, displayed the accessed items withthat application in system1, without performing suchactions.

Information recorded in Jump Lists of different web browser

Cortana is one of the new features introduced in Win-dows 10. A user can perform text or voice search on localcomputer or on web using this feature. If a web search isperformed using Cortana, then search is directed to thedefault web browser in the system. For example, if thedefault web browser is Microsoft Edge then the search re-sults are obtained by Bing search engine. Otherwise thesearch results are obtained by the search engine of thedefault web browser. The Jump List created by any browserused as default in Windows 10 always records the URLaddress and timestamp of web search in its DestList stream.Two different experiments were carried out to test the typeof information recorded in four popular browsers’ JumpLists. In first experiment, Microsoft Edge browser wasselected as the default web browser and Google as defaultsearch engine. Random text and voice searches were per-formed using Cortana followed by downloading anduploading of files, thus creating 9d1f905ce5044aee.auto-maticDestinations-ms file. It was observed that for each websearch, only the Entry ID number, the last recorded access(timestamp of search), access count (always 1 for eachEntry) and Data (URL located in the address bar) arerecorded in the DestList stream of the Jump List file. Fig. 16shows the search string and related artifacts after parsingthe Jump List of Microsoft Edge browser. No informationwas recorded related to downloaded or uploaded files inthe Jump List.

Fig. 15. NetBIOS and MAC address displayed in Jump List.

Fig. 14. Parsed output after modifying the content of a Jump List.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e1310

Page 11: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

In second experiment, Mozilla Firefox 42.0 was installedand selected as default web browser. Again, random textand voice searches were performed using Cortana followedby downloading and uploading of files which created969252ce11249fdd.automaticDestinations-ms file. It wasobserved that this Jump List file contained informationrelated to downloaded and uploaded files along with thesearch strings (see Fig. 17). However, it is difficult todistinguish between downloaded and uploaded files fromthe Jump List. Also, if the files are downloaded with anydownload manager, information related to such files arenot stored in browser's Jump List.

A comparison based on above methodology was con-ducted on four web browsers, namely, Microsoft Edge,Mozilla Firefox 42.0, Google Chrome 47.0 and Opera 34.0.The results of the recorded artifacts in Jump Lists of theseweb browsers are shown in Table 5.

Aggregating data of all Jump Lists for construction of activitytimeline

Jump Lists contains a treasure of information forcreating different timelines of the activities performed on asystem. Through Jump Lists analysis, forensic investigatorcan know the accessed, created, modified files and theiraccess count between the two time instances. This exper-iment was performed to construct a timeline of user ac-tivities performed on a computer running Windows 10 Profor a period of 10 days starting from 01 Dec 2015 12:00:00AM to 10 Dec 2015 12:00:00 AM. For this, several applica-tions were installed and number of files were created,accessed and modified with preinstalled and user installed

applications, in random order, resulting in creation of aJump List for each application. For creating the timeline,JumpListExt was run and “Parse all” option was selected,which created a SQLite database named JumpListData.sqlitecontaining aggregated data extracted from all Jump Lists.This database consists a table with name Jump having 14columns with header name AppID, ENo, NetBIOS Name, LastRecorded Access, Modified, Accessed, Created, Access Count,DriveType, VolumeName, BirthTimestamp, BirthMAC, SeqNoand Data for each Entry in a Jump List. Fig. 18 shows theaggregated data of all Jump Lists containing only seven (outof 14) columns, for visual convenience.

It can be seen from Fig. 18 that the systemwas started at9:31:57 AM on 03 Dec 2015 (refer column name Birth).Subsequently, file name indicated as 1 in Fig. 18 wasaccessed at 9:43:07 AM on the same day (refer columnname Last Recorded Access) which was accessed for the2nd time (refer column name Access Count). After this, filename indicated as 2 in Fig. 18 was created at 12:15:28 PM,followed by accessing of file name indicated as 3 in Fig.18 at12:50:20 PM (refer column name Last Recorded Access),which was accessed for the 3rd time (refer column nameAccess Count). In this way the activity timeline of 10 dayswas created and is shown in Table 6.

Discussion of results

The results of first experiment, aimed at detecting anti-forensic attempts, demonstrate that if few Entries aredeleted from a Jump List then it can be easily detected andidentified. Also, part of the deleted Entries can be carvedand parsed manually. An equation is established on the

Fig. 17. Artifacts recorded in Jump List of Mozilla Firefox 42.0 web browser.

Fig. 16. Artifacts recorded in Jump List of Microsoft Edge browser.

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 11

Page 12: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

basis of observations to calculate the access count of thedeleted Entries. The results of second experiment, fordetection of modified Entries, demonstrate that deliberatetampering with the Jump List data can be detected byvalidating the data of an Entry in LNK streamwith the dataof the same Entry in DestList stream. However, if tamperingis done with the data field of an Entry that is not stored inDestList like MAC timestamps, then it is difficult to detectsuch deliberate tampering from Jump List. The result ofthird experiment, for detection of forged Entries, demon-strates that if the Jump Lists with the same name, createdby the same application running on two different com-puters (with same or differentWindows OS), then the JumpList analysis can reveal forgery based on computer nameand unique MAC address. The results of the fourth experi-ment show that web searches performed by different webbrowsers, using Cortana, can be extracted for forensicanalysis by parsing the Jump Lists created by these webbrowsers. Further, it was observed during this experimentthat the Jump List of Mozilla Firefox 42.0 (one of the fourweb browsers considered for analysis) also records the ar-tifacts related to uploaded and downloaded files in normalbrowsingmode. The results of last experiment demonstratethat the aggregated data created by parsing all Jump Listscan prove to be very useful for construction of activitytimelines. For this, a SQLite database as the case file ofaggregated data is created while parsing all Jump List files,which can be used by investigators to filter this data basedon requirement.

Limitations

The developed software tool presented in this paperfocuses on parsing and displaying the parsed data on userinterface. We can also export the parsed data into aSQLite database by selecting the ‘Export’ button in Filemenu of software. The software tool can be extended torun SQL query on the created database from user inter-face so that the investigators can filter and list the databased on requirement. Future endeavors would be toenable automation for user defined analysis of the parseddata.

Conclusion

Jump Lists analysis can provide detailed forensic insightinto users' activities that can be utilized for forensic anal-ysis to construct a timeline of activities. Jump Lists provideartifacts pertaining to file creation, access, modification ordeletion which can be of immense importance to a forensicinvestigator in cases when user's activity history is of in-vestigator's interest.

In this paper, the Jump List structure ofWindows 10 wasidentified and compared with Windows 7/8. The newlyadded or modified field values in DestList stream revealmore information for forensic analysis. Based on the iden-tified structure, a software tool has been developed forparsing Jump Lists, individually as well as collectively. Theresults of the experiments demonstrate that if evidence

Fig. 18. Aggregated data of LNK and DestList stream for each Jump List.

Table 5A comparison of recorded artifacts in Jump Lists of different web browsers.

Browsers Web search strings on Cortana Uploading/downloading a file

Normal browsing mode Private browsing mode Normal browsing mode Private browsing mode

Microsoft Edge ✓ ✓ � �Mozilla Firefox 42.0 ✓ ✓ ✓ �Google Chrome 47.0 ✓ ✓ � �Opera 34.0 ✓ ✓ � �

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e1312

Page 13: Digital Investigation - Cyber Forensicator...is done then Entry would not appear in the list displayed in start/taskbar. Volume ID and Object ID are used to describe the file location

destruction or evidence tampering is done then such in-consistencies can be detected by parsing the individualJump Lists. However, for identification of such deliberateattempts, forensic investigators can combine and correlatethe information from other sources such as WindowsShortcut (LNK) files and Prefetch. Forensic investigators caneffectively use Jump Lists for gathering informationregarding web searches (using Cortana) performed on asuspected system as well as for constructing activitytimelines of any user on a suspected system. Also, forensicinvestigators can use CAT Detect tool developed byMarrington et al. (2011) to detect inconsistencies in thetimelines constructed using this type of system logs. Theresults of the experiments conducted in this paper high-light the added information available in the Jump Lists ofWindows 10 and can prove to be promising in the field offorensic investigation.

Further research scope

There are three main areas of research on Jump Lists inWindows 10. The major portions of the DestList streamwere successfully identified. However, purpose of fewfields remain unknown thus leaving the opportunity toexplore more about it. Secondly, carving DestList data ofthe deleted Entries from a Jump List can be a part ofresearch. Finally, construction of activity timelines requires

manual analysis of the extracted data and can be auto-mated in future.

References

Lallie HS, Bains P. An overview of the jumplist configuration file in win-dows 7. J Digital Forensics Secur Law 2012;7:15e28.

Larson T. Forensic examination of windows 7 jump lists. 2011. http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public[accessed 15.10.2015].

Lyness R. Forensic analysis of windows 7 jump lists. 2012. http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ [accessed 19.10.2015].

Marrington A, Baggili I, Mohay G, Clark A. Cat detect (computer activitytimeline detection): a tool for detecting inconsistency in computeractivity timelines. Digit Investig 2011;8:S52e61.

MiTec. Structured storage viewer. 2010. http://www.mitec.cz/ssv.html[accessed 20.11.2015].

MSDN. [ms-cfb]: compound file binary file format. 2015. https://msdn.microsoft.com/en-us/library/dd942138.aspx [accessed 12.11.2015].

MSDN. [ms-shllink]: shell link (.lnk) binary file format. 2015. http://msdn.microsoft.com/enus/library/dd871305(PROT.10).aspx [accessed11.11.2015].

NirSoft. Jumplistsview. 2013. http://www.nirsoft.net/utils/jump_lists_view.html [accessed 10.09.2015].

Parsonage H. The meaning of linkfiles in forensic examinations [computer-forensics.parsonage.co.uk/downloads/themeaningoflife.pdf]. 2010.

Smith GS. Using jump lists to identify fraudulent documents. DigitInvestig 2013;9:193e9.

TZWorks. Windows jump list parser (jmp). https://tzworks.net/prototype_page.php?proto_id¼20; 2013 [accessed 22.11.2015].

Woan M. Jumplister. 2013. http://www.woanware.co.uk/forensics/jumplister.html [accessed 10.06.2015].

Table 6Activity timeline of 10 days.

Date Time Activity

03 Dec 2015 9:31:57 AM The system was started9:43:07 AM File#1 was accessed 2nd time from OS volume12:15:28 PM File#2 was created on OS volume12:50:20 PM File#3 was accessed 3rd time from softwares volume

06 Dec 2015 11:58:42 AM The system was started12:04:04 PM File#4 was accessed from softwares volume

07 Dec 2015 8:58:05 AM The system was started9:13:47 AM File#5 was created on OS volume and accessed11:20:49 AM File#6 was created on removable media named SANDISK-USB11:22:12 AM File#6 was accessed again from the same removable media11:29:03 AM File#7 was created on softwares volume and accessed11:31:04 AM File#7 was accessed 2nd time from the same volume11:42:27 AM File#8 was created on OS volume and accessed

10 Dec 2015 9:50:58 AM The system was started10:00:31 AM File#9 was created on OS volume10:01:16 AM File#9 was modified10:03:32 AM File#9 was accessed again from the same volume

B. Singh, U. Singh / Digital Investigation 17 (2016) 1e13 13

View publication statsView publication stats