(EN) Jumplist - Forensic Cheatsheet

## Introduction 윈도우 환경에 익숙한 사용자라면 윈도우(시작) 버튼을 눌렀을 때나 작업 표시줄에 있는 문서 프로그램들을 우클릭 했을 때 “최근 항목”에 최근 작업한 파일들이 저장되는 것을 본 적이 있을 것이다. 이처럼 사용자가 최근에 작업했던 파일은 다시 작업할 확률이 높기 때문에 Microsoft에서 편의기능으로 최근 사용자가 사용했던 파일이나, 프로그램들을 정리해 놓는 기능이 Windows 7 이후로 추가되었다. 하지만 디지털 포렌식 관점에서는 편의 기능을 떠나 사용자가 최근에 열람/수정/생성한 파일에 대한 정보를 얻을 수 있는 중요 아티팩트로 분류할 수 있다. 오늘은 프로그램이나 문서 파일을 실행할 때 남는 점프리스트 아티팩트에 대해 자세히 알아볼 예정이다. > [!NOTE] 링크 파일(LNK File)이랑 다른 점이 무엇인가요? > > 점프리스트는 기능적인 측면에서 링크파일과 유사하다고 생각할 수 있다. 실제로도 용도 자체는 같다. 그러나 LNK파일은 파일 시스템 내 파일/폴더에 대한 아티팩트라면 점프리스트는 윈도우 작업 표시줄과 시작 메뉴에 있는 파일들에 대한 아티팩트라는 점이 가장 큰 차이점이다. 물론 저장되는 정보나 저장되는 위치도 다르다. > ## Path For jumplist, it is consistent that the path is under `Recent` directory. But a person ought to check every cases because there is diverse locations where `Recent` directory is created. `%APPDATA%` explained below is a path for Appdata, such as `C:\Users\%Username%\Appdata\Local` `C:\Users\%Username%\Appdata\Roaming`. ``` %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations %APPDATA%\Microsoft\Windows\Recent\CustomDestinations %APPDATA%\Roaming\Microsoft\Windows\Recent\AutomaticDestinations %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations *Jumplist Icon %APPDATA%\Microsoft\Windows\Recent\IconCache.db %APPDATA%\Microsoft\Windows\Explorer\iconcache_*.db (* known as asterisk, meaning that all kind of files written in such format) ``` So when you look into the paths where Jumplist is located, there is mainly 2 types : `AutomaticDestiantions` and `CustomDestinations`. The difference between those two will be determined in the Data chapters. ## Data First, we shortly explained about Jumplist artifact. It saves list of program used by the user before. So there comes into mind which program is written, when, in what kind of category. Always dealt with our articles, we will talk about when and why Jumplist saves its data deeply in each section. ### Jumplist Type & Creation Rule Tested in Windows 11, Jumplist is a feauture that is disabled in default. It is also disabled in the first place for Windows 10. To enable or disable Jumplist feature, you can go through `Personal Setting > Start` ![[Untitled 31.png]] Also, you might find out that Jumplist is separated into multiple categories. Related with this fact, we also can see that it is possible to disable options such as `Recently Added Apps`, `Most Used App`, etc… which is a information categorized by users perspective. Before going down the structure, each type of categories will be introduced in the concept of user perspective. - **Recent(Recently Used App)** Is a Jumplist for recently used directory/program. The maximum count for the list is 10 that system displays related with recent activities. And the number 10 is not a fixed value, it depends on a user setting. (Default value is 10) The maximum number of counts are known as 60~120. (We will handle this experiment later) - **Frequent( Mostly Used / Visited)** Frequent category is a Jumplist for most used programs. It is decided by the system. And the variable is considers are known as “Latest executed/modified time”, “Program Run Count”, “Execution Duration”. The weight considered for the system’s decision is not open to the public. - **Tasks** Even a specific task for a program can be defined. Such as “Open New Window”, “Restore Recent Window”, etc … We call this type of function “Tasks”. So does the Windows OS. - **Pinned** This is a feature that a certain user sets manually. If a users right clicks on a item in File explorer, there will be a “Favorites” option. By clicking on it pushes the selected item to a Pinned category (also known as Favorites). 4 types given above is the category defined by the user activity. And it is questionable that also system saves those lists separately? If not, you should be. Because there is various methods that Windows OS saves such data. As explained on previous articles, the Windows filesystem or registry mostly used Flags written inside the data structure in such situations. Extraordinarily, Jumplist shows a new type of method to save its own data. In this article, it was already uttered at the start of the article. If you don’t have the memory about it, check the [[#Path|Path]] section again. As you remeber, the data is saved either on `Automatic-Destinations` or `Custom-Destinations`. The difference between two is that the Jumplist data user directly interacts with will be saved in `Custom-Destination` directory such as Pinned. Each of the directory has slightly different format so it will be explained respectively. ### Automatic-Destinations Under the `Automatic-Destinations` folder, there will be files with the extension `.automaticDestinations-ms` And there is additional format right after the file name which is a 16byte hex string (if the hex string starts with 0, then it will have 15Bytes ) Each Hexstring is a result of a path run through a CRC calculation. The Path itself is calculated after it is encoded by Unicode. Mostly `Automatic-Destination`file uses OLCEF file format. [(Object Linking and Embedding Compound File)](https://github.com/libyal/libolecf/blob/master/documentation/OLE%20Compound%20File%20format.asciidoc) Between OLECF files, the Hexstring will be used that is exactly same with `DestList`. `DestList` has Ann 32byte header and a multiple DestList entries. More specific information about the data structure can be identified in [Click Link!](https://github.com/libyal/dtformats/blob/main/documentation/Jump%20lists%20format.asciidoc). To analyze a certain automaticDestination-ms file, you have got to understand the OLECF format and then go on to DestList data structures. In this article the data structure itself will not be introduced. So It would be helpful to know what kind of information is written in the data structure. The enumerated data is the main information of the `automaticDestination-ms` file. - GUID of a file - Hostname - Modified FILETIME - File Path ### Custom-Destinations Custom-Destination file are named with`.customDestination-ms` extension. The common thing Custom-Destination files have with automatic-Destination file are the naming convention. They have the exact same format of Hexstring in the end of the file name created in the same way. Custom-Destination file is consisted of File Header, Link file entries, File Footer. Sometimes there is a chance of a additional data created in the file. There is a limitation handling all of the elements in the data structure because of lack of information known to the public. (Needs more research!). So what we will do in this chapter is getting along with the significant contents that this file owns. **File Header** - the number of entry that a certain file has. - consisted of 32 bytes **LNK File Entry(****[[(EN) LNK file]]****)** - a certain type of GUID that is found in a LNK file - Data Stream used in a LNK file - Checksum Value **File Footer** - `0xbabffbab` **Additional Data** - A certain type of GUID that is found in a LNK file. - Data Stream used in a LNK file. ## Conclusion There is a small unsatisfactory that there is lack of information about the data structure, but at least there was some information about it. And we learned that there was a correlation between Jumplist and LNK file. And if you have a sufficient amount of understanding with [[(EN) LNK file]], it wouldn’t be too hard for you reading this article. Practically getting the concept of data handling logic Jumplist is more crucial to knowing which data is saved into it. In real world cases, it would be important to know which file is interconnected through Jumplist, and the timestamp of a Jumplist file modified which defines a user activity.