Introducing FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.
Scenario
You're tasked with examining a VMware virtual disk. On your way to acquire the .vmdk file, you notice that there's not one, but several .vmdk files. A split VM! You know FTK Imager supports mounting .vmdk, so you go ahead and attempt to mount it. But...it only accepts one .vmdk file!
The Solution
Combine those .vmdk files into one, single .vmdk. You can do this with the vmware-vdiskmanager CLI tool that comes with VMware. Simply run the command below and mount the resulting file in FTK Imager. Success!
vmware-vdiskmanager.exe –r theFirstVmdkFile.vmdk –t 0 singleFileResult.vmdk
Thanks to KP for spurring this topic.
-4n6k
References
1. Mahmoud Thoughts - Merge 2GB VMDK files to one single VMDK file
Wednesday, September 28, 2011
Thursday, September 15, 2011
Jump List Forensics: AppIDs Part 2
----------------------------------
[UPDATE #01 03/15/2016]: A new AppID Master List has been created. See this post for more information.
----------------------------------
- Internet Browsers
- Image/Document Viewers
- Media Players
- Utilities
- File Sharing/P2P
- FTP
- IRC
- IM/Communications
- Usenet Newsreaders
- System Cleaners
 |
| Jump List for CCleaner |
Recap
- Jump Lists provide artifacts regarding Most Recently Used (MRU) and/or Most Frequently Used (MFU) files/tasks/URLs for applications
- AppIDs are calculated by Windows unless the application developer provides a custom AppID
- Location from whence an executable was run matters in calculating the AppID (but don't disregard portable apps!)
- Jump List artifacts for an application stay on the machine after said application is uninstalled
- Per Harlan's post, MiTeC's SSViewer and Mark Woan's JumpLister can parse autoDest files
- Jump Lists look like this, this, this, and this.
Jump List AppIDs
All applications are 32-bit. Tested on Windows 7 Professional SP1.
Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.
File Sharing/P2P
| e0f7a40340179171 | imule 1.4.5 (rev. 749) |
| installs to .exe loc | AirDC++ 2.10 |
| 76f6f1bd18c19698 | aMule 2.2.6 |
| cb5250eaef7e3213 | ApexDC++ 1.4.3.957 |
| bfc1d76f16fa778f | Ares (Galaxy) 1.8.4 / 1.9.8 / 2.1.0 / 2.1.7.3041 |
| (portable) | Azureus 0.9.0 (portable) |
| accca100973ef8dc | Azureus 2.0.8.4 |
| ccb36ff8a8c03b4b | Azureus 2.5.0.4 / Vuze 3.0.5.0 |
| 558c5bd9f906860a | BearShare Lite 5.2.5.1 |
| e1d47cb031dafb9f | BearShare 6.0.0.22717 / 8.1.0.70928 / 10.0.0.112380 |
| (portable) | BitComet 0.39 (portable) |
| a31ec95fdd5f350f | BitComet 0.49 / 0.59 / 0.69 / 0.79 / 0.89 / 0.99 / 1.07 / 1.28 |
| bcd7ba75303acbcf | BitLord 1.1 |
| 1434d6d62d64857d | BitLord 1.2.0-66 |
| e73d9f534ed5618a | BitSpirit 1.2.0.228 / 2.0 / 2.6.3.168 / 2.7.2.239 / 2.8.0.072 / 3.1.0.077 / 3.6.0.550 |
| c9374251edb4c1a8 | BitTornado T-0.3.17 |
| 2d61cccb4338dfc8 | BitTorrent 5.0.0 / 6.0.0 / 7.2.1 (Build 25548) |
| ba3a45f7fd2583e1 | Blubster 3.1.1 |
| 4a7e4f6a181d3d08 | broolzShare |
| f001ea668c0aa916 | Cabos 0.8.2 |
| (portable) | CzDC 0.699 (portable) |
| (portable) | Datawire 1.3 (portable) |
| (portable) | DC++ 0.181 (portable) |
| 560d789a6a42ad5a | DC++ 0.261 / 0.698 / 0.782 (r2402.1) |
| 4aa2a5710da3efe0 | DCSharpHub 2.0.0 |
| 2db8e25112ab4453 | Deluge 1.3.3 |
| 5b186fc4a0b40504 | Dtella 1.2.5 (Purdue network only) |
| 2437d4d14b056114 | EiskaltDC++ 2.2.3 |
| b3016b8da2077262 | eMule 0.50a |
| cbbe886eca4bfc2d | ExoSee 1.0.0 |
| 9ad1ec169bf2da7f | FlylinkDC++ r405 (Build 7358) |
| 4dd48f858b1a6ba7 | Free Download Manager 3.0 (Build 852) |
| (portable) | Freenet (default install dir is C:\Users\$user\...) |
| (portable) | Frost 2011-03-05 (portable) |
| f214ca2dd40c59c1 | FrostWire 4.20.9 |
| 73ce3745a843c0a4 | FrostWire 5.1.4 |
| 98b0ef1c84088 | fulDC 6.78 |
| e6ea77a1d4553872 | Gnucleus 1.8.6.0 |
| ed49e1e6ccdba2f5 | GNUnet 0.8.1a |
| cc4b36fbfb69a757 | gtk-gnutella 0.97 |
| a746f9625f7695e8 | HeXHub 5.07 |
| 223bf0f360c6fea5 | I2P 0.8.8 (restartable) |
| 2ff9dc8fb7e11f39 | I2P 0.8.8 (no window) |
| ???????????????? | [i2p] i2phex 3.2.0.103.0 |
| f1a4c04eebef2906 | [i2p] Robert 0.0.29 Preferences |
| ???????????????? | [i2p] Rufus 0.0.4 |
| c8e4c10e5460b00c | iMesh 6.5.0.16898 |
| f61b65550a84027e | iMesh 11.0.0.112351 |
| d460280b17628695 | Java Binary |
| (portable) | Jucy DC 0.85.0.201008281346 (portable) |
| 784182360de0c5b6 | Kazaa Lite 1.7.1 |
| a75b276f6e72cf2a | Kazaa Lite Tools K++ 2.7.0 |
| ba132e702c0147ef | KCeasy 0.19-rc1 |
| a8df13a46d66f6b5 | Kommute (Calypso) 0.24 |
| (portable) | LamaHub 0.0.5.5 (portable) |
| c5ef839d8d1c76f4 | LimeWire 5.2.13 |
| 977a5d147aa093f4 | Lphant 3.51 |
| 96252daff039437a | Lphant 7.0.0.112351 |
| e76a4ef13fbf2bb1 | Manolito 3.1.1 |
| 99c15cf3e6d52b61 | mldonkey 3.1.0 |
| ff224628f0e8103c | Morpheus 3.0.3.6 |
| (portable) | MUTE File Sharing 0.5.1 (portable) |
| See Java Binary | Nodezilla Agent 0.5.15 - built in Java |
| (portable) | Perfect Dark 0.883 / 0.940 / 1.06 / 1.07 (all portable) |
| See Java Binary | Phex 3.4.2 (Build 116) - built in Java |
| 792699a1373f1386 | Piolet 3.1.1 |
| ca1eb46544793057 | RetroShare 0.5.2a (Build 4550) |
| 3cf13d83b0bd3867 | RevConnect 0.674p (based on DC++) |
| (portable) | PtokaX DC Hub 0.4.1.2 (portable) |
| (portable) | RSX++ 1.21 (portable) |
| 5e01ecaf82f7d8e | Scour Exchange 0.0.0.228 |
| (portable) | StrongDC++ 2.42 (portable) |
| (portable) | TkDC++ 1.3 (portable) |
| 5d7b4175afdcc260 | Shareaza 2.0.0.0 |
| b48ce76eda60b97 | Shareaza 8.0.0.112300 |
| 23f08dab0f6aaf30 | SoMud 1.3.3 |
| 135df2a440abe9bb | SoulSeek 156c |
| ecd21b58c2f65a2f | StealthNet 0.8.7.9 |
| 5ea2a50c7979fbdc | TrustyFiles 3.1.0.22 |
| (portable) | uTorrent 1.1.1-dev (Build 110) / 1.3.0 / 1.5.0 (all portable) |
| cd8cafb0fb6afdab | uTorrent 1.7.7 (Build 8179) / 1.8.5 / 2.0 / 2.21 (Build 25113) / 3.0 (Build 25583) |
| a75b276f6e72cf2a | WinMX 3.53 |
| 490c000889535727 | WinMX 4.9.3.0 |
| (portable) | Winny 2.0b7.1 - all languages (portable) |
| (portable) | xHub 0.2.6.7 (portable) |
| (portable) | YnHub 1.036.152 (portable) |
| ac3a63b839ac9d3a | Vuze 4.6.0.4 |
FTP
| d28ee773b2cea9b2 | 3D-FTP 9.0 build 7 |
| cd2acd4089508507 | AbsoluteTelnet 9.18 Lite |
| e6ef42224b845020 | ALFTP 5.20.0.4 |
| 9e0b3f677a26bbc4 | BitKinex 3.2.3 |
| 4cdf7858c6673f4b | Bullet Proof FTP 1.26 |
| 714b179e552596df | Bullet Proof FTP 2.4.0 (Build 31) |
| 20ef367747c22564 | Bullet Proof FTP 2010.75.0.75 |
| 44a50e6c87bc012 | Classic FTP Plus 2.15 |
| 4fceec8e021ac978 | CoffeeCup Free FTP 3.5.0.0 |
| 8deb27dfa31c5c2a | CoffeeCup Free FTP 4.4 (Build 1904) |
| 49b5edbd92d8cd58 | FTP Commander 8.02 |
| 6a316aa67a46820b | Core FTP LE 1.3c (Build 1437) / 2.2 (Build 1689) |
| be4875bb3e0c158f | CrossFTP 1.75a |
| c04f69101c131440 | CuteFTP 5.0 (Build 50.6.10.2) |
| a79a7ce3c45d781 | CuteFTP 7.1 (Build 06.06.2005.1) |
| 59e86071b87ac1c3 | CuteFTP 8.3 (Build 8.3.4.0007) |
| d8081f151f4bd8a5 | CuteFTP 8.3 Lite (Build 8.3.4.0007) |
| 3198e37206f28dc7 | CuteFTP 8.3 Professional (Build 8.3.4.0007) |
| f82607a219af2999 | Cyberduck 4.1.2 (Build 8999) |
| fa7144034d7d083d | Directory Opus 10.0.2.0.4269 (JL tasks supported) |
| f91fd0c57c4fe449 | ExpanDrive 2.1.0 |
| 8f852307189803b8 | Far Manager 2.0.1807 |
| 226400522157fe8b | FileZilla Server 0.9.39 beta |
| a1d19afe5a80f80 | FileZilla 2.2.32 |
| e107946bb682ce47 | FileZilla 3.5.1 |
| b7cb1d1c1991accf | FlashFXP 4.0.0 (Build 1548) |
| 8628e76fd9020e81 | Fling File Transfer Plus 2.24 |
| 27da120d7e75cf1f | pbFTPClient 6.1 |
| f64de962764b9b0f | FTPRush 1.1.3 / 2.15 |
| 10f5a20c21466e85 | FTP Voyager 15.2.0.17 |
| 7937df3c65790919 | FTP Explorer 10.5.19 (Build 001) |
| 9560577fd87cf573 | LeechFTP 1.3 (Build 207) |
| fc999f29bc5c3560 | Robo-FTP 3.7.9 |
| c99ddde925d26df3 | Robo-FTP 3.7.9 CronMaker |
| 4b632cf2ceceac35 | Robo-FTP Server 3.2.5 |
| 3a5148bf2288a434 | Secure FTP 2.6.1 (Build 20101209.1254) |
| 435a2f986b404eb7 | SmartFTP 4.0.1214.0 |
| explorer integrated | Swish |
| e42a8e0f4d9b8dcf | Sysax FTP Automation 5.15 |
| b8c13a5dd8c455a2 | Titan FTP Server 8.40 (Build 1338) |
| 7904145af324576e | Total Commander 7.56a (Build 16.12.2010) |
| 79370f660ab51725 | UploadFTP 2.0.1.0 |
| 6a8b377d0f5cb666 | WinSCP 2.3.0 (Build 146) |
| 9a3bdae86d5576ee | WinSCP 3.2.1 (Build 174) / 3.8.0 (Build 312) |
| 6bb54d82fa42128d | WinSCP 4.3.4 (Build 1428) |
| b6267f3fcb700b60 | WiseFTP 4.1.0 |
| a581b8002a6eb671 | WiseFTP 5.5.9 |
| 2544ff74641b639d | WiseFTP 6.1.5 |
| c54b96f328bdc28d | WiseFTP 7.3.0 |
| Web-based | WS_FTP |
IM/Communications
| b3965c840bf28ef4 | AIM 4.8.2616 |
| 1b29f0dc90366bb | AIM 5.9.3857 |
| 27ececd8d89b6767 | AIM 6.2.14.2 / 6.5.3.12 / 6.9.17.2 |
| 6f647f9488d7a | AIM 7.5.11.9 (custom AppID + JL support) |
| ca942805559495e9 | aMSN 0.98.4 |
| c6f7b5bf1b9675e4 | BitWise IM 1.7.3a |
| fb1f39d1f230480a | Bopup Messenger 5.6.2.9178 (all languages: en;du;fr;ger;rus;es) |
| dc64de6c91c18300 | Brosix Communicator 3.1.3 (Build 110719 nid 1) |
| f09b920bfb781142 | Camfrog 4.0.47 / 5.5.0 / 6.1 (build 146) (JL support) |
| ebd8c95d87f25154 | Carrier 2.5.5 |
| (portable) | Coccinella Messenger 0.96.20 (portable) |
| 30d23723bdd5d908 | Digsby (Build 30140) (JL support) |
| 728008617bc3e34b | eM Client 3.0.10206.0 |
| 689319b6547cda85 | emesene 2.11.7 |
| 454ef7dca3bb16b2 | Exodus 0.10.0.0 |
| cca6383a507bac64 | Gadu-Gadu 10.5.2.13164 |
| 4278d3dc044fc88a | Gaim 1.5.0 |
| 777483d3cdac1727 | Gajim 0.14.4 |
| 6aa18a60024620ae | GCN 2.9.1 |
| 3f2cd46691bbee90 | GOIM 1.1.0 |
| 73c6a317412687c2 | Google Talk 1.0.0.104 |
| b0236d03c0627ac4 | ICQ 5.1 / ICQLite Build 1068 |
| a5db18f617e28a51 | ICQ 6.5 (Build 2024) |
| 2417caa1f2a881d4 | ICQ 7.6 (Build 5617) |
| recognized VM | inSpeak 7.2.0.540 |
| 989d7545c2b2e7b2 | IMVU 465.8.0.0 |
| a3e0d98f5653b539 | Instantbird 1.0 (20110623121653) (JL support) |
| bcc705f705d8132b | Instan-t 5.2 (Build 2824) |
| 6059df4b02360af | Kadu 0.10.0 / 0.6.5.5 |
| c312e260e424ae76 | Mail.Ru Agent 5.8 (JL support) |
| 22cefa022402327d | Meca Messenger 5.3.0.52 |
| (portable) | Mercury Messenger (portable) |
| 86b804f7a28a3c17 | Miranda IM 0.6.8 / 0.7.6 / 0.8.27 / 0.9.9 / 0.9.29 (ANSI + Unicode) |
| b868d9201b866d96 | Microsoft Lync 4.0.7577.0 |
| 8c816c711d66a6b5 | MSN Messenger 6.2.0137 / 7.0.0820 |
| (portable) | MSNPSharp (portable) |
| 2d1658d5dc3cbe2d | MySpaceIM 1.0.823.0 Beta |
| bf9ae1f46bd9c491 | Nimbuzz 2.0.0 (rev 6266) |
| fb7ca8059b8f2123 | ooVoo 3.0.7.21 |
| efb08d4e11e21ece | Paltalk Messenger 10.0 (Build 409) |
| 4f24a7b84a7de5a6 | Palringo 2.6.3 (r45983) |
| e93dbdcede8623f2 | Pandion 2.6.106 |
| aedd2de3901a77f4 | Pidgin 2.0.0 / 2.10.0 / 2.7.3 |
| c5236fd5824c9545 | PLAYXPERT 1.0.140.2822 |
| dee18f19c7e3a2ec | PopNote 5.21 |
| 1a60b1067913516a | Psi 0.14 |
| e0532b20aa26a0c9 | QQ International 1.1 (2042) |
| 3c0022d9de573095 | QuteCom 2.2 |
| 93b18adf1d948fa3 | qutIM 0.2 |
| e0246018261a9ccc | qutIM 0.2.80.0 |
| 2aa756186e21b320 | RealTimeQuery 3.2 |
| 521a29e5d22c13b4 | Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117 |
| 70b52cf73249257 | Sococo 1.5.0.2274 |
| d41746b133d17456 | Tkabber 0.11.1 |
| c8aa3eaee3d4343d | Trillian 0.74 / 3.1 / 4.2.0.25 / 5.0.0.35 (JL support) |
| d7d647c92cd5d1e6 | uTalk 2.6.4 r47692 |
| 36c36598b08891bf | Vovox 2.5.3.4250 |
| 884fd37e05659f3a | VZOchat 6.3.5 |
| 3461e4d1eb393c9c | WTW 0.8.18.2852 / 0.8.19.2940 |
| f2cb1c38ab948f58 | X-Chat 1.8.10 / 2.6.9 / 2.8.9 |
| 4e0ac37db19cba15 | Xfire 1.138 (Build 44507) |
| da7e8de5b8273a0f | Yahoo Messenger 5.0.0.1226 / 6.0.0.1922 |
| 62dba7fb39bb0adc | Yahoo Messenger 7.5.0.647 / 8.1.0.421 / 9.0.0.2162 / 10.0.0.1270 |
| fb230a9fe81e71a8 | Yahoo Messenger 11.0.0.2014-us |
| b06a975b62567622 | Windows Live Messenger 8.5.1235.0517 BETA |
| bd249197a6faeff2 | Windows Live Messenger 2011 |
IRC
| b223c3ffbc0a7a42 | Bersirc 2.2.14 |
| c01d68e40226892b | ClicksAndWhistles 2.7.146 |
| ac8920ed05001800 | DMDirc 0.6.5 (Profile store: C:\Users\$user\AppData\Roaming\DMDirc\) |
| d3530c5294441522 | HydraIRC 0.3.165 |
| 8904a5fd2d98b546 | IceChat 7.70 20101031 |
| 6b3a5ce7ad4af9e4 | IceChat 9 RC2 |
| fa496fe13dd62edf | KVIrc 3.4.2.1 / 4.0.4 |
| 65f7dd884b016ab2 | LimeChat 2.39 |
| 19ccee0274976da8 | mIRC 4.72 / 5.61 |
| ae069d21df1c57df | mIRC 6.35 / 7.19 |
| e30bbea3e1642660 | Neebly 1.0.4 |
| 54c803dfc87b52ba | Nettalk 6.7.12 |
| dd658a07478b46c2 | PIRCH98 1.0.1.1190 |
| (portable) | Quassel IRC 0.7.1 (portable) |
| 6fee01bd55a634fe | Smuxi 0.8.0.0 |
| 2a5a615382a84729 | X-Chat 2 2.8.6-2 |
Usenet Newsreaders
| ace8715529916d31 | 40tude Dialog 2.0.15.1 (Beta 38) |
| cc76755e0f925ce6 | AllPicturez 1.2 |
| 36f6bc3efe1d99e0 | Alt.Binz 0.25.0 (Build 27.09.2007) |
| d53b52fb65bde78c | Android Newsgroup Downloader 6.2 |
| c845f3a6022d647c | Another File 2.03 (Build 2/7/2004) |
| 780732558f827a42 | AutoPix 5.3.3 |
| baea31eacd87186b | BinaryBoy 1.97 (Build 55) |
| eab25958dbddbaa4 | Binary News Reaper 2 (Beta 0.14.7.448) |
| bf483b423ebbd327 | Binary Vortex 5.0 |
| 36801066f71b73c5 | Binbot 2.0 |
| 13eb0e5d9a49eaef | Binjet 3.0.2 |
| 8172865a9d5185cb | Binreader 1.0 (Beta 1) |
| 6224453d9701a612 | BinTube 3.7.1.0 (requires VLC 10.5!) |
| cf6379a9a987366e | Digibin 1.31 |
| 43886ba3395acdcc | Easy Post 3.0 |
| cfab0ec14b6f953 | Express NewsPictures 2.41 (Build 08.05.07.0) |
| 7526de4a8b5914d9 | Forte Agent 6.00 (Build 32.1186) |
| c02baf50d02056fc | FotoVac 1.0 |
| 3ed70ef3495535f7 | Gravity 3.0.4 |
| 86781fe8437db23e | Messenger Pro 2.66.6.3353 |
| f920768fe275f7f4 | Grabit 1.5.3 Beta (Build 909) / 1.6.2 (Build 940) / 1.7.2 Beta 4 (Build 997) |
| 9f03ae476ad461fa | GroupsAloud 1.0 |
| d0261ed6e16b200b | News File Grabber 4.6.0.4 |
| 8211531a7918b389 | Newsbin Pro 6.00 (Build 1019) (JL support) |
| d1fc019238236806 | Newsgroup Commander Pro 9.05 |
| 186b5ccada1d986b | NewsGrabber 3.0.36 |
| 4d72cfa1d0a67418 | Newsgroup Image Collector |
| 92f1d5db021cd876 | NewsLeecher 4.0 / 5.0 Beta 6 |
| d7666c416cba240c | NewsMan Pro 3.0.5.2 |
| 7b2b4f995b54387d | News Reactor 20100224.16 |
| cb984e3bc7faf234 | NewsRover 17.0 (Rev.0) |
| c98ab5ccf25dda79 | NewsShark 2.0 |
| dba909a61476ccec | NewsWolf 1.41 |
| 2b164f512891ae37 | NewsWolf NSListGen |
| cb1d97aca3fb7e6b | Newz Crawler 1.9.0 (Build 4100) |
| 3be7b307dfccb58f | NiouzeFire 0.8.7.0 |
| de76415e0060ce13 | Noworyta News Reader 2.9 |
| cd40ead0b1eb15ab | NNTPGrab 0.6.2 |
| d5c02fc7afbb3fd4 | NNTPGrab 0.6.2 Server |
| a4def57ee99d77e9 | Nomad News 1.43 |
| 3f97341a65bac63a | Ozum 6.07 (Build 6070) |
| bfe841f4d35c92b1 | QuadSucker/News 5.0 |
| web-based | sabnzbd 0.6.8 |
| d3c5cf21e86b28af | SeaMonkey 2.3.3 |
| 7a7c60efd66817a2 | Spotnet 1.7.4 |
| eb3300e672136bc7 | Stream Reactor 1.0 Beta 9 (uses VLC!) |
| 3168cc975b354a01 | Slypheed 3.1.2 (Build 1120) |
| 776beb1fcfc6dfa5 | Thunderbird 1.0.6 (20050716) / 3.0.2 |
| 3d877ec11607fe4 | Thunderbird 6.0.2 |
| 7192f2de78fd9e96 | TIFNY 5.0.3 |
| 9dacebaa9ac8ca4e | TLNews Newsreader 2.2.0 (Build 2430) |
| 7fd04185af357bd5 | UltraLeeacher 1.7.0.2969 / 1.8 Beta (Build 3490) |
| aa11f575087b3bdc | Unzbin 2.6.8 |
| pay only | Usenet Explorer 3.3 (pay) |
| d7db75db9cdd7c5d | Xnews 5.04.25 |
System Cleaners
| ed7a5cc3cca8d52a | CCleaner 1.32.345 / 1.41.544 / 2.36.1233 / 3.10.1525 |
| eb7e629258d326a1 | WindowWasher 6.6.1.18 |
Caveats/Discoveries
Portable Applications
Throughout my testing, there were quite a few cases in which an AppID couldn't be identified on account of the application in question being "portable." Of course, what I mean by this is that the application was not bundled through an installer; instead, all of the configuration files/libraries were contained within a compressed archive upon download. It should be made clear that this is by no means a reason to disregard these applications. Just because an application is portable doesn't rule out the potential of finding and tracing its Jump List files. The fact that you know the application is portable is a step in the right direction. And as I mentioned in Part 1, there are solutions for the portable application "problem."
On that note, if you discover an AppID that is not found within these lists or ForensicsWiki list, be sure to parse the autoDest files instead of tossing it aside and deeming it insignificant. I say this because, as lengthy as these lists are getting, they are still far from complete. There's a lot of information out there on parsing and analyzing the Jump List files themselves, so finding out to which application the evidence AppID belongs -- without an AppID reference list -- is most certainly possible.
Multiple Version Testing
I noted this before, but there were many instances in which multiple versions of the same application were tested and documented. The reason for this was that some applications -- especially long-running and prevalent ones -- experience huge changes throughout their development cycles. A version jump could make a huge difference in how the application runs or is built. With that said, a version jump might cause an AppID alteration. If you look through the list, the evidence for this is pretty clear; different versions yield different AppIDs. This isn't always the case, but it does happen on occasion. I made sure to test as many versions of the applications as I could to see whether or not version changes affected the AppID. The results varied; some changed with every version jump (e.g. WiseFTP) while others stayed consistent throughout every release (e.g. BitSpirit).
AppID Length
Speaking of AppID analysis, I noticed that not all AppIDs share the same character length. For example, Skype yielded a 16-character AppID (521a29e5d22c13b4) while Paint 6.1 SP1 and Shareaza 8 yielded 15-character AppIDs (b3f13480c2785ae and b48ce76eda60b97, respectively). There were even a few that were 13 characters in length, believe it or not (AIM 7.5.11.9 - 6f647f9488d7a and fulDC 6.78 - 98b0ef1c84088). The reason I'm mentioning this is because I had remembered reading somewhere that the AppID was always 16-characters in length. It turns out that this was written in Alex Barnett's "Forensic Value of Windows 7 Jump Lists." It states:
This is inaccurate, as shown by the many < 16-character AppIDs in the above lists. While the majority of AppIDs are 16-characters in length, not all of them are. Don't get me wrong, though -- Alex's writeup is phenomenal and well worth a focused read. It was one of the pioneer articles about Jump List forensics and details how one can discover whether or not illegal images were uploaded or downloaded based off of Jump List artifacts. Be sure to check it out; the above quote is the only thing that even came close to bothering me about the writeup.Jump List file names, while appearing to be a random string of characters, always follow the format 16 characters dot automaticDestinations-ms or customDestinations-ms...
Another thing I noticed throughout my testing was that it was common for IM clients and media players to pop up a little "available status" or music playback bar upon hovering over the taskbar icon. As far as I could tell, there was no Jump List file activity upon performing this action, but it's good to note based on the fact that almost every application that had this feature also had full Jump List support (showed MRUs/MFUs/Tasks).
Here's yet another fun little piece of testing treasure I found: one application was actually aware that it was running inside of a virtual machine and refused to install as a result. Stubborn! Though, it makes you wonder how sophisticated some malware might be if IM clients can detect living inside of a VM...
Reverse Engineering IM Protocols
Finally, the last discovery made was that of IMfreedom.org. I actually stumbled upon that on accident in my quest to find more IM clients. A wiki for reverse engineering IM protocols is hosted there; it is tremendously detailed. Neat stuff.
Conclusion
There was some interesting discussion about what should be the main goal for future Jump List forensics. Jamie L suggested that the algorithm behind the Windows AppID calculation should be defined -- something with which I completely agree. Being able to calculate an AppID on the fly based on known conditions would make things a whole lot easier and much more efficient. It's just a matter of getting to that point and being able to make use of the process by which it's done.
UPDATE 4/30/13 If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.
It's been great to see so much activity regarding Jump List forensics recently. But as with many other pieces of forensic goodness, it could use some more research. Whether it's analyzing the AppID calculation algorithm or adding to the growing AppID reference list, any development is much appreciated. There will always be new software releases, so that list is bound to grow. The key point to take away from this, however, is that with more software comes more avenues for forensic analysis -- not only in terms of Jump Lists, but in general. There will never be a shortage of applications to analyze. I think Kazaa said it best, and I'm sure digital forensics analysts worldwide are excited to acknowledge this fact. I know I am.
-4n6k
References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs
8. IMfreedom.org -- Reverse Engineered IM protocol wiki
Wednesday, September 7, 2011
Jump List Forensics: AppIDs Part 1
Well, I felt it was about time to get a blog up and running. Everything I've learned on the subject of digital forensics has been a direct result of reading forensics books, blogs, and list-serv responses written by people like Ken Pryor, Harlan Carvey, Eoghan Casey, Lee Whitfield, Brad Garnett, David Kovar, Andrew Case, Rob Lee, Dave Hull, Dan O'Day, Shafik Punja, Frank McClain, Cory Altheide, Joe Garcia, Hal Pomeranz, *deep breath* Troy Larson, Andrew Hoog, Eric Huber, Luby Novitovic, Michael Hale Ligh, Alex Bond, Jimmy Weg, Corey Harrell, Dan Farmer, Larry E. Daniel, Jamie Levy, Tom Yarrish, Andreas Schuster, Loc Nguyen, and many more (I know I've forgotten some; I apologize in advance). So I just wanted to start off with a quick 'thank you,' as you've all driven me to this point. Your work is very much appreciated.
----------------------------------
[UPDATE #01 03/15/2016]: A new AppID Master List has been created. See this post for more information.
----------------------------------
Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.
Jump List Summary
Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.
The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar. When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:
*.automaticDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\customDestinations).
Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.
The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.
Forensic Value (or Why It's Important)
Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
Jump List AppIDs
All applications are 32-bit. Tested on Windows 7 Professional SP1.
Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.
Internet Browsers
Utilities
Image/Document Viewers
Media Players
Caveats
There are a few things to consider when analyzing Jump Lists.
Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).
The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.
UPDATE 4/30/13 If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.
Further Research
There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.
Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.
-4n6k
References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs
----------------------------------
[UPDATE #01 03/15/2016]: A new AppID Master List has been created. See this post for more information.
----------------------------------
Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.
Jump List Summary
Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.
 |
| Windows Media Player's Jump List. Right-clicking the icon displays this. |
*.automaticDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\customDestinations).
Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.
The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.
Forensic Value (or Why It's Important)
Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) files opened by the user/application
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) tasks used by the user/application and subsequently how the application was used
- Lists of most recently or frequently accessed website URLs (browser Jump Lists)
- If an application was installed or used/run (AutoDest Jump List files stay intact after application uninstall - tested with VLC 1.1.11)
- If a user distributed (uploaded) or only acquired (downloaded) illegal images3
The forensic research on Jump Lists has been greatly undeveloped until recently. Luckily, we've seen some activity and tools created to parse Jump Lists, as they are some of the most valuable resources in analyzing user activity.
Jump List AppIDs
All applications are 32-bit. Tested on Windows 7 Professional SP1.
Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.
Internet Browsers
| 5d696d521de238c3 | Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215 |
| cfb56c56fa0f0a54 | Mozilla 0.9.9 |
| 5c450709f7ae4396 | Firefox 1.0 / 2.0 / 3.0 |
| 5df4765359170e26 | Firefox 4.0.1 |
| 1eb796d87c32eff9 | Firefox 5.0 |
| 1461132e553e2e6c | Firefox 6.0 |
| 28c8b86deab549a1 | Internet Explorer 8 / 9 |
| 16ec093b8f51508f | Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074 |
| 8a1c1c7c389a5320 | Safari 3.2.3 (525.29) |
| 1da3c90a72bf5527 | Safari 4.0.5 (531.22.7) / 5.1 (7534.50) |
Utilities
| 3dc02b55e44d6697 | 7-Zip 3.13 / 4.20 |
| 4975d6798a8bdf66 | 7-Zip 4.65 / 9.20 |
| 4b6925efc53a3c08 | BCWipe 5.02.2 Task Manager 3.02.3 |
| 337ed59af273c758 | Sticky Notes |
| 290532160612e071 | WinRAR 2.90 / 3.60 / 4.01 |
| c9950c443027c765 | WinZip 9.0 SR-1 (6224) / 10.0 (6667) |
| b74736c2bd8cc8a5 | WinZip 15.5 (9468) |
| bc0c37e84e063727 | Windows Command Processor - cmd.exe (32-bit) |
Image/Document Viewers
| f0468ce1ae57883d | Adobe Reader 7.1.0 |
| c2d349a0e756411b | Adobe Reader 8.1.2 |
| 23646679aaccfae0 | Adobe Acrobat 9.4.0 |
| ee462c3b81abb6f6 | Adobe Reader X 10.1.0 |
| 386a2f6aa7967f36 | EyeBrowse 2.7 |
| e31a6a8a7506f733 | Image AXS Pro 4.1 |
| b39c5f226977725d | ACDSee Pro 8.1.99 |
| 59f56184c796cfd4 | ACDSee Photo Manager 10 (Build 219) |
| 8bd5c6433ca967e9 | ACDSee Photo Manager 2009 (v11.0 Build 113) |
| d838aac097abece7 | ACDSee Photo Manager 12 (Build 344) |
| b3f13480c2785ae | Paint 6.1 (build 7601: SP1) |
| 7cb0735d45243070 | CDisplay 1.8.1.0 |
| 3594aab44bca414b | Windows Photo Viewer |
| 3edf100b207e2199 | digiKam 1.7.0 (KDE 4.4.4) |
| 169b3be0bc43d592 | FastPictureViewer Professional 1.6 (Build 211) |
| e9a39dfba105ea23 | FastStone Image Viewer 4.6 |
| edc786643819316c | HoneyView3 #5834 |
| 76689ff502a1fd9e | Imagine Image and Animation Viewer 1.0.7 |
| 2519133d6d830f7e | IMatch 3.6.0.113 |
| 1110d9896dceddb3 | imgSeek 0.8.5 |
| c634153e7f5fce9c | IrfanView 3.10 / 4.30 |
| ea83017cdd24374d | IrfanView Thumbnails |
| 3917dd550d7df9a8 | Konvertor 4.06 (Build 10) |
| 2fa14c7753239e4c | Paint.NET 2.72 / 3.5.8.4081.24580 |
| d33ecf70f0b74a77 | Picasa 2.2.0 (Build 28.08, 0) |
| b17d3d0c9ca7e29 | Picasa 3.8.0 (Build 117.43, 0) |
| Embedded in IE | Prizm Viewer |
| depends on Location | Scientific and Technical Document Viewer 1.6.2 Portable (STDU) |
| c5c24a503b1727df | XnView 1.98.2 Small / 1.98.2 Standard |
| 497b42680f564128 | Zoner PhotoStudio 13 (Build 7) |
Media Players
| d22ad6d9d20e6857 | ALLPlayer 4.7 |
| 7494a606a9eef18e | Crystal Player 1.98 |
| 1cffbe973a437c74 | DSPlayer 0.889 Lite |
| 817bb211c92fd254 | GOM Player 2.0.12.3375 / 2.1.28.5039 |
| 6bc3383cb68a3e37 | iTunes 7.6.0.29 / 8.0.0.35 |
| 83b03b46dcd30a0e | iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability) |
| fe5e840511621941 | JetAudio 5.1.9.3018 Basic / 6.2.5.8220 Basic / 7.0.0 Basic / 8.0.16.2000 Basic |
| a777ad264b54abab | JetVideo 8.0.2.200 Basic |
| 3c93a049a30e25e6 | J. River Media Center 16.0.149 |
| 4a49906d074a3ad3 | Media Go 1.8 (Build 121) |
| 1cf97c38a5881255 | MediaPortal 1.1.3 |
| Depends on location | Media Player Classic 6.4.8.9 (is portable) |
| Depends on location | Media Player Classic - Home Cinema 1.5.2.3456 (default install is \Users\user\ dir, so dynamic) |
| 62bff50b969c2575 | Quintessential Media Player 5.0 (Build 121) - also usage stats (times used, tracks played, total time used) |
| b50ee40805bd280f | QuickTime Alternative 1.9.5 (Media Player Classic 6.4.9.1) |
| ae3f2acd395b622e | QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13) |
| 7593af37134fd767 | RealPlayer 6.0.6.99 / 7 / 8 / 10.5 |
| 37392221756de927 | RealPlayer SP 12 |
| f92e607f9de02413 | RealPlayer 14.0.6.666 |
| 6e9d40a4c63bb562 | Real Player Alternative 1.25 (Media Player Classic 6.4.8.2 / 6.4.9.0) |
| c91d08dcfc39a506 | SM Player 0.6.9 r3447 |
| e40cb5a291ad1a5b | Songbird 1.9.3 (Build 1959) |
| 4d8bdacf5265a04f | The KMPlayer 2.9.4.1434 |
| 4acae695c73a28c7 | VLC 0.3.0 / 0.4.6 |
| 9fda41b86ddcf1db | VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11 |
| e6ee34ac9913c0a9 | VLC 0.6.2 |
| cbeb786f0132005d | VLC 0.7.2 |
| f674c3a77cfe39d0 | Winamp 2.95 / 5.1 / 5.621 |
| 90e5e8b21d7e7924 | Winamp 3.0d (Build 488) |
| 74d7f43c1561fc1e | Windows Media Player 12.0.7601.17514 |
Caveats
There are a few things to consider when analyzing Jump Lists.
Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).
The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.
UPDATE 4/30/13 If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.
Further Research
There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.
Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.
-4n6k
References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs