In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The foundational methodology starts with your goals…what are you attempting to prove or disprove…and once you understand the goals of your analysis, you can assemble the necessary artifacts to leverage in pursuit of those goals.
Like many of the artifacts we might examine on a Windows system, Jump Lists can provide useful information, but they are most useful when viewed in conjunction with other artifacts. Viewing artifacts in isolation deprives the analyst of valuable context.
Dr. Brian Carrier recently published an article on Jump List Forensics over on the CyberTriage blog. In that article, he goes into a good bit of depth regarding both the Automatic and Custom Jump Lists, and for the sake of this article, I’m going to cover just the Automatic Jump Lists.
As Brian stated in his article, Jump Lists have been around since Windows 7; I’d published several articles on Jump Lists going back almost 14 years at this point. Jump Lists are valuable to analysts because they’re (a) created as a result of user interaction via the Windows Explorer shell, (b) evidence of program execution, and (c) evidence of data or file access.
Automatic Jump Lists follow the old Windows OLE “structured storage” format. Microsoft refers to this as the “compound file binary” fo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: