----------------------------------
[UPDATE #01 03/15/2016]: A new AppID Master List has been created. See this post for more information.
----------------------------------
Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.
Jump List Summary
Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.
 |
| Windows Media Player's Jump List. Right-clicking the icon displays this. |
*.automaticDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\customDestinations).
Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.
The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.
Forensic Value (or Why It's Important)
Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) files opened by the user/application
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) tasks used by the user/application and subsequently how the application was used
- Lists of most recently or frequently accessed website URLs (browser Jump Lists)
- If an application was installed or used/run (AutoDest Jump List files stay intact after application uninstall - tested with VLC 1.1.11)
- If a user distributed (uploaded) or only acquired (downloaded) illegal images3
The forensic research on Jump Lists has been greatly undeveloped until recently. Luckily, we've seen some activity and tools created to parse Jump Lists, as they are some of the most valuable resources in analyzing user activity.
Jump List AppIDs
All applications are 32-bit. Tested on Windows 7 Professional SP1.
Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.
Internet Browsers
| 5d696d521de238c3 | Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215 |
| cfb56c56fa0f0a54 | Mozilla 0.9.9 |
| 5c450709f7ae4396 | Firefox 1.0 / 2.0 / 3.0 |
| 5df4765359170e26 | Firefox 4.0.1 |
| 1eb796d87c32eff9 | Firefox 5.0 |
| 1461132e553e2e6c | Firefox 6.0 |
| 28c8b86deab549a1 | Internet Explorer 8 / 9 |
| 16ec093b8f51508f | Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074 |
| 8a1c1c7c389a5320 | Safari 3.2.3 (525.29) |
| 1da3c90a72bf5527 | Safari 4.0.5 (531.22.7) / 5.1 (7534.50) |
Utilities
| 3dc02b55e44d6697 | 7-Zip 3.13 / 4.20 |
| 4975d6798a8bdf66 | 7-Zip 4.65 / 9.20 |
| 4b6925efc53a3c08 | BCWipe 5.02.2 Task Manager 3.02.3 |
| 337ed59af273c758 | Sticky Notes |
| 290532160612e071 | WinRAR 2.90 / 3.60 / 4.01 |
| c9950c443027c765 | WinZip 9.0 SR-1 (6224) / 10.0 (6667) |
| b74736c2bd8cc8a5 | WinZip 15.5 (9468) |
| bc0c37e84e063727 | Windows Command Processor - cmd.exe (32-bit) |
Image/Document Viewers
| f0468ce1ae57883d | Adobe Reader 7.1.0 |
| c2d349a0e756411b | Adobe Reader 8.1.2 |
| 23646679aaccfae0 | Adobe Acrobat 9.4.0 |
| ee462c3b81abb6f6 | Adobe Reader X 10.1.0 |
| 386a2f6aa7967f36 | EyeBrowse 2.7 |
| e31a6a8a7506f733 | Image AXS Pro 4.1 |
| b39c5f226977725d | ACDSee Pro 8.1.99 |
| 59f56184c796cfd4 | ACDSee Photo Manager 10 (Build 219) |
| 8bd5c6433ca967e9 | ACDSee Photo Manager 2009 (v11.0 Build 113) |
| d838aac097abece7 | ACDSee Photo Manager 12 (Build 344) |
| b3f13480c2785ae | Paint 6.1 (build 7601: SP1) |
| 7cb0735d45243070 | CDisplay 1.8.1.0 |
| 3594aab44bca414b | Windows Photo Viewer |
| 3edf100b207e2199 | digiKam 1.7.0 (KDE 4.4.4) |
| 169b3be0bc43d592 | FastPictureViewer Professional 1.6 (Build 211) |
| e9a39dfba105ea23 | FastStone Image Viewer 4.6 |
| edc786643819316c | HoneyView3 #5834 |
| 76689ff502a1fd9e | Imagine Image and Animation Viewer 1.0.7 |
| 2519133d6d830f7e | IMatch 3.6.0.113 |
| 1110d9896dceddb3 | imgSeek 0.8.5 |
| c634153e7f5fce9c | IrfanView 3.10 / 4.30 |
| ea83017cdd24374d | IrfanView Thumbnails |
| 3917dd550d7df9a8 | Konvertor 4.06 (Build 10) |
| 2fa14c7753239e4c | Paint.NET 2.72 / 3.5.8.4081.24580 |
| d33ecf70f0b74a77 | Picasa 2.2.0 (Build 28.08, 0) |
| b17d3d0c9ca7e29 | Picasa 3.8.0 (Build 117.43, 0) |
| Embedded in IE | Prizm Viewer |
| depends on Location | Scientific and Technical Document Viewer 1.6.2 Portable (STDU) |
| c5c24a503b1727df | XnView 1.98.2 Small / 1.98.2 Standard |
| 497b42680f564128 | Zoner PhotoStudio 13 (Build 7) |
Media Players
| d22ad6d9d20e6857 | ALLPlayer 4.7 |
| 7494a606a9eef18e | Crystal Player 1.98 |
| 1cffbe973a437c74 | DSPlayer 0.889 Lite |
| 817bb211c92fd254 | GOM Player 2.0.12.3375 / 2.1.28.5039 |
| 6bc3383cb68a3e37 | iTunes 7.6.0.29 / 8.0.0.35 |
| 83b03b46dcd30a0e | iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability) |
| fe5e840511621941 | JetAudio 5.1.9.3018 Basic / 6.2.5.8220 Basic / 7.0.0 Basic / 8.0.16.2000 Basic |
| a777ad264b54abab | JetVideo 8.0.2.200 Basic |
| 3c93a049a30e25e6 | J. River Media Center 16.0.149 |
| 4a49906d074a3ad3 | Media Go 1.8 (Build 121) |
| 1cf97c38a5881255 | MediaPortal 1.1.3 |
| Depends on location | Media Player Classic 6.4.8.9 (is portable) |
| Depends on location | Media Player Classic - Home Cinema 1.5.2.3456 (default install is \Users\user\ dir, so dynamic) |
| 62bff50b969c2575 | Quintessential Media Player 5.0 (Build 121) - also usage stats (times used, tracks played, total time used) |
| b50ee40805bd280f | QuickTime Alternative 1.9.5 (Media Player Classic 6.4.9.1) |
| ae3f2acd395b622e | QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13) |
| 7593af37134fd767 | RealPlayer 6.0.6.99 / 7 / 8 / 10.5 |
| 37392221756de927 | RealPlayer SP 12 |
| f92e607f9de02413 | RealPlayer 14.0.6.666 |
| 6e9d40a4c63bb562 | Real Player Alternative 1.25 (Media Player Classic 6.4.8.2 / 6.4.9.0) |
| c91d08dcfc39a506 | SM Player 0.6.9 r3447 |
| e40cb5a291ad1a5b | Songbird 1.9.3 (Build 1959) |
| 4d8bdacf5265a04f | The KMPlayer 2.9.4.1434 |
| 4acae695c73a28c7 | VLC 0.3.0 / 0.4.6 |
| 9fda41b86ddcf1db | VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11 |
| e6ee34ac9913c0a9 | VLC 0.6.2 |
| cbeb786f0132005d | VLC 0.7.2 |
| f674c3a77cfe39d0 | Winamp 2.95 / 5.1 / 5.621 |
| 90e5e8b21d7e7924 | Winamp 3.0d (Build 488) |
| 74d7f43c1561fc1e | Windows Media Player 12.0.7601.17514 |
Caveats
There are a few things to consider when analyzing Jump Lists.
Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).
The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.
UPDATE 4/30/13 If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.
Further Research
There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.
Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.
-4n6k
References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs
11 comments:
Great post, Dan! IMO, you should post some of this info to http://forensicartifacts.com/. Thanks for the "thanks," too.
I echo Little's Mac comment. Thank you for the shout-out and I look forward to reading your contributions to the DFIR community!
@Little Mac @Brad4n6: Thanks, you guys. I'll definitely get this info to forensicsartifacts along with the followup information. Glad you enjoyed it!
One easy way to check the AppID for your specific target is to boot a VM of the image and run the apps in which you have an interest. Then check for the Jump List files that were modified or examine the Jump List files to locate the files that you opened with the apps.
Thanks, Jimmy. Your response on the win4n6 list-serv about apps used in CP cases really got me thinking on this AppID business, as well. I think this information would be most valuable for those types of investigations, but would serve well in general, too.
The AppID is in fact CRC64 of full name (path included) of the exe file. The function is in shell32.dll: CAutomaticDestinationList::Initialize
result = StringCchCopyW(&sz, 0x104u, a2);
if ( result >= 0 )
{
v4 = &sz;
do
{
v5 = *v4;
++v4;
}
while ( v5 );
CharUpperBuffW(&sz, (signed int)((char *)v4 - (char *)&v8) >> 1);
result = StringCbLengthW(&sz, 0x208u, &v6);
if ( result >= 0 )
{
CRC64::CRC64(&sz, v6);
result = CRC64::ToString(a1, a3);
}
}
return result;
Is ace2e449a5dfce37 is event viewer?
I have written an article about the potential artifacts from Windows 7 Jump Lists, including the structure of the DestList which you can find at:
http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
Hope you find it useful.
@Anonymous - I suspected the AppID was a CRC64. How did you find that out?
If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.
http://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/
I'll definitely get this info to forensicsartifacts along with the followup information.
Outdoor Sheds Miami
I do not pretend to understand the jargon above, in a layman's terms, Is it possible to simply copy the Automatic Destinations from a windows 7 system to a new install windows 8?
Post a Comment