Forensic analysis of recently accessed files - jumplist analysis

-
Part of the series (1 of 3) Windows artifact analysis.

When it comes to detect recently accessed files, Windows offers wide variety of artifacts which may be helpful for enlighting forensic investigations. As there are many items -so called artifacts- exist for that particular reason, one of those artifacts, which is automatically created by Windows is called jumplist.

Jumplists are system artifacts that are created to keep track of recently accessed files. As those files can be viewed typing "recent" on the run command, the list which comes up might be the whole thing. Especially during forensic investigations, it is important to make sure that all the available information is collected completely. For that very reason, all jumplist files must be reached from the custodian's computer and inspected throughly.

Two types of jumplists are created when user opens up a file; automatic (.automaticDestinations-ms) file and custom (.customDestinations-ms) file. The main difference between is that while automatic destinations folder includes wide variety of last accessed items such as apps, documents and files, custom destinations folder usually includes items containing web browser and media player activities.

Locating jumplists manually

Depending changing number of computer users, number of jumplists contained inside pc might vary.In this case, we should make sure to detect the right jumplist file for the correct user. 

Both automatic destinations and custom destinations files can be found following the path given below.

Automatic Destinations: C:\Users\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Custom Destinations:
C:\Users\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Note that both file paths can only be reached using internet browsers as they are hidden. After typing correct path on the browser, both folders that are containing relevant jumplist files will show up.






Locating and extracting jumplists using EnCase

In case we are working on a case on EnCase, we can use pre-created EnPacks to locate the jumplist files existing on the computer. For that purpose, we can use the following EnPack to detect and extract relevant files in excel format, which makes it easier to analyze jumplist content compared to analyzing manually extracted automatic and custom destination files.

After running the EnPack given above, EnCase creates an excel file as an output, which displays intersected version of both automatic destinations files and destlist file which exists within the same ms file. The output is in tab delimited spreadsheet format, which includes recently accessed files list including path of file, creation and last accessed time, volume serial number and drive type information helping to understand where the recently accessed data resides.

Analyzing jumplist files manually using JumpListExt

JumpListExt is a tool that allows us to parse jumplist files which later on can be extracted and opened in SQLite. 

When a jumplist file is opened in JumpListExt, 2 sub-files can be seen, which are called as LinkFile and DestList files. Those 2 files contains following informations about recent accessed folders respectively:

LinkFile: Information on last modified date, last accessed date (Basically MFT file meta data), device type (removable or fixed drive), file path and etc. 

DestList: Information on last recorded access date, access count, file path and etc. 

Here we can see how jumplists containing LinkFile and DestList is looks when it is opened in JumpListExt:










As it is given as LinkFile and DestList file above, jumplists give wide variety of information about where recent files and documents are located, when the contents of those files and documents are changed, how many times those files are reached. 

Jumplist files also play crucial role at possible data leakage investigations as it contains useful information on target data path and target drive volume name.

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

Setting up FTK Imager on Ubuntu OS installed USB Drive

-
One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...
Devamı

Extracting hash values from MS Office files using John The Ripper on Linux

-
Resim
Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...
Devamı

Cracking password protected MS Office files using Hashcat

-
Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...
Devamı