Pages

Tuesday, May 14, 2013

UserAssist Forensics (timelines, interpretation, testing, & more)


Everything I've learned on the subject of digital forensics has been a direct result of both experience and reading forensics books, blogs, and list-serv responses written by people like Ken Pryor, Harlan Carvey, Eoghan Casey, Chad Gough, Rob Lee, Lee Whitfield, Brad Garnett, David Kovar, Andrew Case, Dave Hull, Dan O'Day, Shafik Punja, Frank McClain, Cory Altheide, Joe Garcia, Hal Pomeranz, *deep breath* Troy Larson, Andrew Hoog, Andrew Hay, cci, pr0neer, Eric Huber, Luby Novitovic, Michael Hale Ligh, Alex Bond, Jimmy Weg, Corey Harrell, Dan Farmer, Larry E. Daniel, Jamie Levy, Tom Yarrish, Andreas Schuster, Loc Nguyen, Tony Balzanto, Josh Fazio, David Cowen, Didier Stevens, Joachim Metz, Ovie Carroll, David Nides, Brian Carrier, Jesse Kornblum, Patrick Olsen, and many more (I know I've forgotten some; I apologize to those I've missed). So I just wanted to start off with a quick 'thank you,' as you've all driven me to this point. Your work is very much appreciated.
----------------------------------

Before I get into the bulk of it all, let me note that UserAssist artifacts are nothing new. Didier Stevens and Harlan Carvey have written some great posts about what the UserAssist keys are and how they are laid out. Richard Drinkwater and Sploited have also posted about them. Harlan's Windows Registry Forensics also serves as a fantastic reference for not only this topic, but other registry artifacts as well; highly recommended. I will be covering the practical interpretation of the existence of these artifacts -- not their structures. So, as always, I would highly recommend that you take a look at all of the articles referenced at the bottom of this post for more in-depth information on the specifics. With that said, let's sum up what we already know about UserAssist artifacts.

UserAssist Summary
  • It is a registry key. It has values in subkeys that relate to each item executed on the system.
    • Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
    • Contains standard subkeys related to program/LNK file execution and toolbar interaction. Typical layout under UserAssist key is as follows: 
      • Windows XP
        • {5E6AB780-7743-11CF-A12B-00AA004AE837}
          • Count
        • {75048700-EF1F-11D0-9888-006097DEACF9}
          • Count
      • Windows 7
        • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
          • Count
        • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
          • Count
    • Each count subkey contains ROT-13 encoded values; each value is a separate UserAssist entry.
  • Windows XP and Windows 7 UserAssist registry values have different binary structures.
    • Win7 adds time of app interaction/focus; minor changes to time offsets
  • There are many "UEME_" prefixes in Windows XP; they are nerfed in Windows Vista and further so (almost non-existent) in Windows 7.
  • The raw "run count" starts with the number "5" instead of "0." Most UserAssist tools will convert this number to alleviate the extra run counts, though (this is fixed in Win7).
  • It keeps track of the number of times applications/applets are launched (via shortcuts, Explorer shell, control panel, etc); this influences which items are automatically listed in the Start menu (i.e. programs used most often) for each user.
    • This differs from Prefetch execution count; prefetch count is not user-specific like UserAssist count.
  • It can keep track of how a program was launched (easier to determine on WinXP).

Forensic Value (or Why It's Important)

We now know the basics of what UserAssist artifacts are...so how can we use them to our advantage? Through them, we can determine the following:
  • Frequency of program execution -- per user.
  • Last time a program was launched.
  • From whence items were being launched most often.
  • System date/time changes.
  • Evidence of programs after deletion/uninstall.
  • How long a user has interacted with a given program (Win7).
  • Evidence of absence. (i.e. "items were in a specific location at one time." e.g. "My Documents" folder is empty...but was launched 224 times)
That last bullet is oddly specific because, well, I ran into that on a case recently. I was able to use information from the UserAssist key to determine that a [now empty] My Documents folder was opened 200+ times and was launched immediately before file copy activity and system cleaning/wiping. Couple this with shellbag artifacts showing what used to be there and the fact that the My Documents folder was not being redirected and...well, you get the point. These artifacts are valuable -- especially those found within the UserAssist key.

Pre-Testing (or What To Expect And Why)

Much of my interest and curiosity in regard to UserAssist artifacts was spawned by reviewing timelines. I had always seen red UserAssist entries in my colored timelines, but I never completely understood the forensic potential that they held. In the case above, I saw one entry in particular that confused me at the time:


This timeline entry shows the usual elements: time, artifact + type of source, type of artifact, and a [short] description of the artifact value. Since red entries suggest Program Execution and we see that the sourcetype is a UserAssist key, we shift our focus to the artifact value. To offset any confusion right of the bat, let's take a look at a more standard UserAssist timeline entry first:


We see the "UEME_" prefix followed by "RUNPATH" and then the full path to the executed program. This essentially tells us that the program, CCleaner, which is located at the given path, was run in some way at 8:13:53.

If you'd like, you could stop there...or...you could dig a little deeper to understand exactly how and why you are seeing what you're seeing. I suggest the latter. So, now that we have a little better understanding of what that value means, let's go back to our initial, confusing entry:

 
We see the familiar "UEME_" prefix and "RUNPATH." But then we see a triple colon ":::" followed by "[My Documents] VIRTUAL."  Based on our CCleaner entry, we might expect to see a full path to an executable. So what gives?

What we see above is an artifact left as a result of a user opening a Windows virtual folder (in this case, My Documents). These folders are also known as special folders. Other special folders include the Recycle Bin, My Network Places, and the like. Log2timeline is nice enough to let us know that this is a virtual folder by ending the value with "VIRTUAL."

On that note, it's important to understand what log2timeline is doing to allow you to see that "[My Documents] VIRTUAL" portion of the value. The log2timeline source tells us that when log2timeline comes across a "CSIDL" or "known folder" GUID, it will translate the GUID to its human-readable counterpart (there are many officially recognized GUIDs, and even more unofficially recognized GUIDs). To illustrate this, consider the following output from RegRipper's userassist module:

Mon Jan  7 13:48:31 2013 Z
  UEME_RUNPATH:::{450D8FBA-AD25-11D0-98A8-0800361B1103} (224)

This is the same exact data we are seeing in the timeline entry (with the added run count in parentheses); the only difference being that the {450D8FBA-AD25-11D0-98A8-0800361B1103} GUID is translated to "[My Documents] VIRTUAL" in the timeline. Of course, you will have to look up any GUIDs that do not have a name associated with them in log2timeline.

As the above example suggests, UserAssist artifacts will show up with more than just paths to executables. You will also see entries that point to certain folders and LNK files (e.g. a user double-clicking the Recycle Bin folder on the desktop; a user double-clicking a program shortcut; etc).

 UserAssist Entry Variations

The above gives an example of what we'll see when we encounter a RUNPATH entry. I would argue that this kind of entry will be the most common that you will see. There are, however, some different UserAssist entries, as well. The absolute best explanation of these entry types that I have found is from Didier Stevens's UserAssist article in the first issue of Into The Boxes:
  • UEME_CTLSESSION: This entry is for the session ID, it doesn't hold data about executed programs
  • UEME_UIQCUT: Counts the programs launched via a Quick Launch menu shortcut
  • UEME_UISCUT: Counts the programs launched via a Desktop shortcut
  • UEME_RUNCPL: This entry keeps data about executed control applets (.cpl)
  • UEME_RUNPATH: This entry keeps data about executed programs
  • UEME_RUNPIDL: This entry keeps data about executed PIDLs
  • UEME_UITOOLBAR: This entry keeps data about clicks on the Windows Explorer Toolbar buttons
In my experience, the RUNPATH, RUNCPL, and RUNPIDL entries serve as the most useful. We'll see some examples of what causes each of these entries in the following section.


Testing (or How It Really Looks In Practice)

Tests were run on some of the more common user activities (and POC actions) to see exactly how UserAssist entries are triggered. The 13 scenarios below illustrate how UserAssist entries look both in the registry and in timelines after a given user action is performed. Note that the applications used are merely examples and can be substituted with countless others.


Action #1: Click Internet Explorer via Start Menu

We see a virtual folder for the default internet browser along with the Internet Explorer executable

Parsed registry UserAssist entries:
    UEME_RUNPIDL:::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} (1)
    UEME_RUNPATH:C:\Program Files\Internet Explorer\iexplore.exe (1)
    UEME_RUNPATH (6)
    UEME_RUNPIDL (3)


Action #2: CMD.exe via Start Menu > Run... dialog

Path to cmd.exe after being typed into Run... dialog

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe (1)
    UEME_RUNPATH (3)


Action #3: CCleaner Run via Shortcut on Desktop (Double-click)

LNK file from desktop with full path to exe. Also UISCUT (desktop shortcut) entry

Parsed registry UserAssist entries:
    UEME_RUNPATH:CCleaner.lnk (1)
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (4)
    UEME_UISCUT (1)


Action #4: CCleaner Run Directly via Program Files or Start Menu > Run... dialog

Note entries around UserAssist entries (MUICache for first launch; RunMRU for text typed into run dialog)

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (3)


Action #5: Right-click Recycle Bin > "Open CCleaner..." or "Run CCleaner..."

Note special case: "ccleaner.exe" is lowercase when launched via right-click of Recycle Bin

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\ccleaner.exe (1)
    UEME_RUNPATH (3)


Action #6: Double-click Recycle Bin Icon on Desktop

Note virtual folder for Recycle Bin via desktop icon

Parsed registry UserAssist entries:
    UEME_RUNPATH:::{645FF040-5081-101B-9F08-00AA002F954E} (1)
    UEME_RUNPATH (3)
    UEME_UISCUT (1)


Action #7: Double-click Time in Task Bar

Note the RUNCPL, as this is a control panel item. Can determine potential time change.

Parsed registry UserAssist entries:
    UEME_RUNCPL:timedate.cpl (1)
    UEME_RUNCPL (1)


Action #8: Open CCleaner via Start Menu > All Programs

Note %csidl2%. This shows when navigating through All Programs in Start Menu. Shortcut must ultimately be clicked in order to see this; simply hovering over it will not cause an entry.

Parsed registry UserAssist entries:
    UEME_RUNPIDL:%csidl2%\CCleaner\CCleaner.lnk (1)
    UEME_RUNPIDL:%csidl2%\CCleaner (1)
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (3)
    UEME_RUNPIDL (3)


Action #9: Run CCleaner via Start Menu Item (pinned or MRU Start Menu item)

Note full path to LNK file

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPIDL:C:\Documents and Settings\All Users\Desktop\CCleaner.lnk (1)
    UEME_RUNPATH (3)
    UEME_RUNPIDL (3)


Action #10: Right-click Desktop > Properties

Another control panel item
Parsed registry UserAssist entries:
    UEME_RUNCPL:desk.cpl (1)
    UEME_RUNCPL (1)


Action #11: Double-click My Documents folder on Desktop (after "show desktop icons" enabled via Properties)
Note virtual folder and surrounding shellbags entry

Parsed registry UserAssist entries:
    UEME_RUNPATH:::{450D8FBA-AD25-11D0-98A8-0800361B1103} (1)
    UEME_RUNPATH (4)


Action #12: Click Once, Press Enter for My Computer icon on Desktop

Once again, note virtual folder
 
Parsed registry UserAssist entries:
    UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} (1)
    UEME_RUNPATH (3)
    UEME_UISCUT (5)


Action #13: Wordpad launched via QuickLaunch Toolbar

Note UIQCUT entry. RUNPATH entry trigger was sporadic (would NOT show for CCleaner)

Parsed registry UserAssist entries:
    UEME_UIQCUT (1)
    UEME_RUNPATH (2)
    UEME_RUNPATH:C:\Program Files\Windows NT\Accessories\wordpad.exe (1)

**This list is NOT exhaustive, but gives a solid base for what you'll see when analyzing UserAssist entries.


Caveats

It is important to note, at this point, that the above focuses on analyzing Windows XP machines. One of the [unfortunate] modifications that came with Windows 7 was the removal of [almost all of the] "UEME_" prefixes in UserAssist entries. Why is this unfortunate? Because it is this part of the value that tells us how the program was launched.

Not only that, but the binary structure of the UserAssist values have changed. Didier Stevens talks about this at length in his article here.

There are limits to what we can conclude from UserAssist entries. For example, consider this entry:



As we have learned from testing, the above entry can mean many different things without context. It could mean that the user launched the program:
  • from the "Run" dialog box in the Start Menu
  • by double-clicking the .exe in the full path
  • by selecting the program from Start Menu > All Programs
  • by selecting the program from a pinned/MRU Start Menu icon

We must look at the other entries that come with this entry so that we can further determine how it was launched.
  • If this was the ONLY UserAssist entry that was updated at 8:13:53, we can rule out the "Start > All Programs" and "pinned/MRU Start Menu icon" possibilities, as those will show more than just this entry (i.e. they will come with an additional RUNPIDL entry).
Another thing to note would be that you will only see the latest time a program was run for each way it is run, as the embedded time in each appropriate entry will be updated/overwritten every time you run said program. All hope is not lost, however. I've had clients ask about how many times a given program was run since X date, and UserAssist entries have helped in confirming that a program has been run "at least n times" by considering the following:
  • Programs run in different ways will leave artifacts with different times attached to them (e.g. run once from the Start Menu and once from an icon on the desktop)
  • Restore Points and Volume Shadow Copies hold old NTUSER.DAT files, which can be parsed to see the latest UserAssist entry times at the time of the RP/VSC creation (log2timeline will parse RPs for you, and by modifying l2t plugins, as Corey Harrell does, you can create VSC timelines).
    • you can also use the RP/VSC run counts for each entry and diff them against the current NTUSER.DAT to find how many times a program was run in a given date range.

Further Research

UserAssist artifacts have been reliable evidence sources in forensic investigations for quite some time now. However, that does not mean that they have been solved in full. The Windows 7 (and potentially Windows 8?) UserAssist binary structure introduced some new items -- some that have yet to be reversed. As Didier Stevens has stated, there is still more work to be done. Despite this, there is much we can gather from these artifacts.

While UserAssist artifacts will show us some pretty valuable information, one must not forget about the significance of surrounding artifacts; looking at UserAssist entries alone will not cut it in performing a quality investigation; the more context you have, the better you will understand what a given artifact is telling you.

As for future analysis, I encourage people to test UserAssist behavior and to understand what the artifacts themselves mean. Understanding breeds correct conclusions in investigations. Interpreting things incorrectly could have dire consequences, as well. The only way to know that you're doing something right is to test it. Remember: never trust what you're seeing at face value. Test, test, and test again.


-Dan (@4n6k)


References
1. UserAssist Utility (by Didier Stevens)
2. SANS Forensic Artifact 6: UserAssist (by Sploited)
3. ForensicArtifacts UserAssist (by Matt)
4. Windows 7 UserAssist Registry Keys - Into The Boxes (by Didier Stevens)
5. CLSID List (Windows Class Identifiers)
6. Windows Registry Forensics (by Harlan Carvey)
7. WindowsIR UserAssist Posts (by Harlan Carvey)
8. Prefetch and User Assist (by Richard Drinkwater)
9. Colorized Supertimeline Template (by Rob Lee) 
10. KNOWNFOLDERID List (by Microsoft)
11. Known Folder GUIDs for File Dialog Custom Places (by Microsoft)
12. CLSID Key (GUID) Shortcuts List for Windows 7 (by SevenForums)
13. CLSID List (by AutoScriptIt)
14. Registry: MUICache (by ForensicArtifacts)
15. Volume Shadow Copy Timeline (by Corey Harrell) 
*Special thanks to Harlan Carvey and Kristinn Gudjonsson to answering some quick questions I had in researching this
Posted by 4n6k at 6:43 PM 6 comments Links to this post
Labels: , , , , , , , , , ,

Friday, February 24, 2012

Forensics Quickie: Extracting Unallocated Space with The Sleuth Kit

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
You'd like to do a keyword search -- not only within user documents, but within deleted items, as well. We will need to extract unallocated space, first and foremost.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install The Sleuth Kit:
  • sudo apt-get install sleuthkit
If you are working with a non-raw container (E01, AFF), use xmount to "convert"* it to a dd image. Split images can be accounted for by using questions marks:
  • sudo apt-get install xmount
  • sudo xmount --in ewf ~/image.e?? /mnt/foo
Use mmls to find the offset of the partition for which you'd like to extract the unallocated space (using our newly created .dd image as input):
  • mmls /mnt/foo/image.dd

Using the starting sector of the desired partition as the offset, run blkls and output the unallocated space to a file:
  • sudo blkls -o 411648 /mnt/foo/image.dd > ~/Evidence/image.unalloc
And that's it! Now you can do whatever you'd like with that unallocated space.

Thanks to @chadgough for spurring this post.

-Dan (@4n6k)

*It's not actually a conversion; it's a representation of the original image.
References
1. The Sleuth Kit
2. xmount
Posted by 4n6k at 6:51 PM 1 comments Links to this post
Labels: , , , ,

Sunday, January 8, 2012

Forensics Quickie: Recovering Deleted Files With Scalpel (.CR2 Photos)

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
SD card was accidentally formatted; RAW photos in .cr2 format from a Canon Rebel T3 needed to be recovered.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install Scalpel with:
  • sudo apt-get install scalpel
Check to see if the required filetype signature is supported by Scalpel by default:
  • sudo vi /etc/scalpel/scalpel.conf
If it's there, simply uncomment it. If it's not there, add an entry for it. I didn't see .cr2 in there, so I added my desired extention (cr2), signature case sensitivity (y), filesize (17825792), and header signature (with no footer) with this entry:
  • cr2     y       17825792 \x49\x49\x2A\x00\x10\x00\x00\x00\x43\x52
Run Scalpel with parameters for the desired image file (it can be a split image) and the output directory:
  • scalpel [imageFile.dd] -o [outputDir]
Of course, you can also do this with other filetypes, as well. But if you ever need to add unsupported filetypes to scalpel.conf, that's how you do it. And if you find that your custom signature entry works, be sure to email it to the creators.

-Dan (@4n6k)

References
1. Download Scalpel: Digital Forensics Solutions
Posted by 4n6k at 3:47 PM 0 comments Links to this post
Labels: , , , , ,

Wednesday, September 28, 2011

Forensics Quickie: Mounting Split .vmdk

Introducing FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
You're tasked with examining a VMware virtual disk. On your way to acquire the .vmdk file, you notice that there's not one, but several .vmdk files. A split VM! You know FTK Imager supports mounting .vmdk, so you go ahead and attempt to mount it. But...it only accepts one .vmdk file!

The Solution
Combine those .vmdk files into one, single .vmdk. You can do this with the vmware-vdiskmanager CLI tool that comes with VMware. Simply follow these instructions, run the command, and mount the resulting file in FTK Imager. Success!

Thanks to KP for spurring this topic.

-Dan (@4n6k)

References
1. Mahmoud Thoughts - Merge 2GB VMDK files to one single VMDK file
Posted by 4n6k at 7:59 PM 1 comments Links to this post
Labels: , , ,

Thursday, September 15, 2011

Jump List Forensics: AppIDs Part 2

In Part 1 of the Jump List Forensics AppID series, we took a look at what a Jump List essentially is and focused upon the AppIDs of the following types of software:
  • Internet Browsers
  • Image/Document Viewers
  • Media Players
  • Utilities
Now, in Part 2, we will close out the series by taking a look at the AppIDs for the following types of software:
  • File Sharing/P2P
  • FTP
  • IRC
  • IM/Communications
  • Usenet Newsreaders
  • System Cleaners
As you'll see in a bit, this round yielded many more results than the first. There were some other discoveries made along the way, as well. But before we get into all of that, let's recap what we know so far.

Jump List for CCleaner

Recap
  • Jump Lists provide artifacts regarding Most Recently Used (MRU) and/or Most Frequently Used (MFU) files/tasks/URLs for applications
  • AppIDs are calculated by Windows unless the application developer provides a custom AppID
  • Location from whence an executable was run matters in calculating the AppID (but don't disregard portable apps!)
  • Jump List artifacts for an application stay on the machine after said application is uninstalled
  • Per Harlan's post, MiTeC's SSViewer and Mark Woan's JumpLister can parse autoDest files
  • Jump Lists look like this, this, this, and this.

Jump List AppIDs

All applications are 32-bit. Tested on Windows 7 Professional SP1.

Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.

File Sharing/P2P
e0f7a40340179171 imule 1.4.5 (rev. 749)
installs to .exe loc AirDC++ 2.10
76f6f1bd18c19698 aMule 2.2.6
cb5250eaef7e3213 ApexDC++ 1.4.3.957
bfc1d76f16fa778f Ares (Galaxy) 1.8.4 / 1.9.8 / 2.1.0 / 2.1.7.3041
(portable) Azureus 0.9.0 (portable)
accca100973ef8dc Azureus 2.0.8.4
ccb36ff8a8c03b4b Azureus 2.5.0.4 / Vuze 3.0.5.0
558c5bd9f906860a BearShare Lite 5.2.5.1
e1d47cb031dafb9f BearShare 6.0.0.22717 / 8.1.0.70928 / 10.0.0.112380
(portable) BitComet 0.39 (portable)
a31ec95fdd5f350f BitComet 0.49 / 0.59 / 0.69 / 0.79 / 0.89 / 0.99 / 1.07 / 1.28
bcd7ba75303acbcf BitLord 1.1
1434d6d62d64857d BitLord 1.2.0-66
e73d9f534ed5618a BitSpirit 1.2.0.228 / 2.0 / 2.6.3.168 / 2.7.2.239 / 2.8.0.072 / 3.1.0.077 / 3.6.0.550
c9374251edb4c1a8 BitTornado T-0.3.17
2d61cccb4338dfc8 BitTorrent 5.0.0 / 6.0.0 / 7.2.1 (Build 25548)
ba3a45f7fd2583e1 Blubster 3.1.1
4a7e4f6a181d3d08 broolzShare
f001ea668c0aa916 Cabos 0.8.2
(portable) CzDC 0.699 (portable)
(portable) Datawire 1.3 (portable)
(portable) DC++ 0.181 (portable)
560d789a6a42ad5a DC++ 0.261 / 0.698 / 0.782 (r2402.1)
4aa2a5710da3efe0 DCSharpHub 2.0.0
2db8e25112ab4453 Deluge 1.3.3
5b186fc4a0b40504 Dtella 1.2.5 (Purdue network only)
2437d4d14b056114 EiskaltDC++ 2.2.3
b3016b8da2077262 eMule 0.50a
cbbe886eca4bfc2d ExoSee 1.0.0
9ad1ec169bf2da7f FlylinkDC++ r405 (Build 7358)
4dd48f858b1a6ba7 Free Download Manager 3.0 (Build 852)
(portable) Freenet (default install dir is C:\Users\$user\...)
(portable) Frost 2011-03-05 (portable)
f214ca2dd40c59c1 FrostWire 4.20.9
73ce3745a843c0a4 FrostWire 5.1.4
98b0ef1c84088 fulDC 6.78
e6ea77a1d4553872 Gnucleus 1.8.6.0
ed49e1e6ccdba2f5 GNUnet 0.8.1a
cc4b36fbfb69a757 gtk-gnutella 0.97
a746f9625f7695e8 HeXHub 5.07
223bf0f360c6fea5 I2P 0.8.8 (restartable)
2ff9dc8fb7e11f39 I2P 0.8.8 (no window)
???????????????? [i2p] i2phex 3.2.0.103.0
f1a4c04eebef2906 [i2p] Robert 0.0.29 Preferences
???????????????? [i2p] Rufus 0.0.4
c8e4c10e5460b00c iMesh 6.5.0.16898
f61b65550a84027e iMesh 11.0.0.112351
d460280b17628695 Java Binary
(portable) Jucy DC 0.85.0.201008281346 (portable)
784182360de0c5b6 Kazaa Lite 1.7.1
a75b276f6e72cf2a Kazaa Lite Tools K++ 2.7.0
ba132e702c0147ef KCeasy 0.19-rc1
a8df13a46d66f6b5 Kommute (Calypso) 0.24
(portable) LamaHub 0.0.5.5 (portable)
c5ef839d8d1c76f4 LimeWire 5.2.13
977a5d147aa093f4 Lphant 3.51
96252daff039437a Lphant 7.0.0.112351
e76a4ef13fbf2bb1 Manolito 3.1.1
99c15cf3e6d52b61 mldonkey 3.1.0
ff224628f0e8103c Morpheus 3.0.3.6
(portable) MUTE File Sharing 0.5.1 (portable)
See Java Binary Nodezilla Agent 0.5.15 - built in Java
(portable) Perfect Dark 0.883 / 0.940 / 1.06 / 1.07 (all portable)
See Java Binary Phex 3.4.2 (Build 116) - built in Java
792699a1373f1386 Piolet 3.1.1
ca1eb46544793057 RetroShare 0.5.2a (Build 4550)
3cf13d83b0bd3867 RevConnect 0.674p (based on DC++)
(portable) PtokaX DC Hub 0.4.1.2 (portable)
(portable) RSX++ 1.21 (portable)
5e01ecaf82f7d8e Scour Exchange 0.0.0.228
(portable) StrongDC++ 2.42 (portable)
(portable) TkDC++ 1.3 (portable)
5d7b4175afdcc260 Shareaza 2.0.0.0
b48ce76eda60b97 Shareaza 8.0.0.112300
23f08dab0f6aaf30 SoMud 1.3.3
135df2a440abe9bb SoulSeek 156c
ecd21b58c2f65a2f StealthNet 0.8.7.9
5ea2a50c7979fbdc TrustyFiles 3.1.0.22
(portable) uTorrent 1.1.1-dev (Build 110) / 1.3.0 / 1.5.0 (all portable)
cd8cafb0fb6afdab uTorrent 1.7.7 (Build 8179) / 1.8.5 / 2.0 / 2.21 (Build 25113) / 3.0 (Build 25583)
a75b276f6e72cf2a WinMX 3.53
490c000889535727 WinMX 4.9.3.0
(portable) Winny 2.0b7.1 - all languages (portable)
(portable) xHub 0.2.6.7 (portable)
(portable) YnHub 1.036.152 (portable)
ac3a63b839ac9d3a Vuze 4.6.0.4

FTP
d28ee773b2cea9b2 3D-FTP 9.0 build 7
cd2acd4089508507 AbsoluteTelnet 9.18 Lite
e6ef42224b845020 ALFTP 5.20.0.4
9e0b3f677a26bbc4 BitKinex 3.2.3
4cdf7858c6673f4b Bullet Proof FTP 1.26
714b179e552596df Bullet Proof FTP 2.4.0 (Build 31)
20ef367747c22564 Bullet Proof FTP 2010.75.0.75
44a50e6c87bc012 Classic FTP Plus 2.15
4fceec8e021ac978 CoffeeCup Free FTP 3.5.0.0
8deb27dfa31c5c2a CoffeeCup Free FTP 4.4 (Build 1904)
49b5edbd92d8cd58 FTP Commander 8.02
6a316aa67a46820b Core FTP LE 1.3c (Build 1437) / 2.2 (Build 1689)
be4875bb3e0c158f CrossFTP 1.75a
c04f69101c131440 CuteFTP 5.0 (Build 50.6.10.2)
a79a7ce3c45d781 CuteFTP 7.1 (Build 06.06.2005.1)
59e86071b87ac1c3 CuteFTP 8.3 (Build 8.3.4.0007)
d8081f151f4bd8a5 CuteFTP 8.3 Lite (Build 8.3.4.0007)
3198e37206f28dc7 CuteFTP 8.3 Professional (Build 8.3.4.0007)
f82607a219af2999 Cyberduck 4.1.2 (Build 8999)
fa7144034d7d083d Directory Opus 10.0.2.0.4269 (JL tasks supported)
f91fd0c57c4fe449 ExpanDrive 2.1.0
8f852307189803b8 Far Manager 2.0.1807
226400522157fe8b FileZilla Server 0.9.39 beta
a1d19afe5a80f80 FileZilla 2.2.32
e107946bb682ce47 FileZilla 3.5.1
b7cb1d1c1991accf FlashFXP 4.0.0 (Build 1548)
8628e76fd9020e81 Fling File Transfer Plus 2.24
27da120d7e75cf1f pbFTPClient 6.1
f64de962764b9b0f FTPRush 1.1.3 / 2.15
10f5a20c21466e85 FTP Voyager 15.2.0.17
7937df3c65790919 FTP Explorer 10.5.19 (Build 001)
9560577fd87cf573 LeechFTP 1.3 (Build 207)
fc999f29bc5c3560 Robo-FTP 3.7.9
c99ddde925d26df3 Robo-FTP 3.7.9 CronMaker
4b632cf2ceceac35 Robo-FTP Server 3.2.5
3a5148bf2288a434 Secure FTP 2.6.1 (Build 20101209.1254)
435a2f986b404eb7 SmartFTP 4.0.1214.0
explorer integrated Swish
e42a8e0f4d9b8dcf Sysax FTP Automation 5.15
b8c13a5dd8c455a2 Titan FTP Server 8.40 (Build 1338)
7904145af324576e Total Commander 7.56a (Build 16.12.2010)
79370f660ab51725 UploadFTP 2.0.1.0
6a8b377d0f5cb666 WinSCP 2.3.0 (Build 146)
9a3bdae86d5576ee WinSCP 3.2.1 (Build 174) / 3.8.0 (Build 312)
6bb54d82fa42128d WinSCP 4.3.4 (Build 1428)
b6267f3fcb700b60 WiseFTP 4.1.0
a581b8002a6eb671 WiseFTP 5.5.9
2544ff74641b639d WiseFTP 6.1.5
c54b96f328bdc28d WiseFTP 7.3.0
Web-based WS_FTP

IM/Communications
b3965c840bf28ef4 AIM 4.8.2616
1b29f0dc90366bb AIM 5.9.3857
27ececd8d89b6767 AIM 6.2.14.2 / 6.5.3.12 / 6.9.17.2
6f647f9488d7a AIM 7.5.11.9 (custom AppID + JL support)
ca942805559495e9 aMSN 0.98.4
c6f7b5bf1b9675e4 BitWise IM 1.7.3a
fb1f39d1f230480a Bopup Messenger 5.6.2.9178 (all languages: en;du;fr;ger;rus;es)
dc64de6c91c18300 Brosix Communicator 3.1.3 (Build 110719 nid 1)
f09b920bfb781142 Camfrog 4.0.47 / 5.5.0 / 6.1 (build 146) (JL support)
ebd8c95d87f25154 Carrier 2.5.5
(portable) Coccinella Messenger 0.96.20 (portable)
30d23723bdd5d908 Digsby (Build 30140) (JL support)
728008617bc3e34b eM Client 3.0.10206.0
689319b6547cda85 emesene 2.11.7
454ef7dca3bb16b2 Exodus 0.10.0.0
cca6383a507bac64 Gadu-Gadu 10.5.2.13164
4278d3dc044fc88a Gaim 1.5.0
777483d3cdac1727 Gajim 0.14.4
6aa18a60024620ae GCN 2.9.1
3f2cd46691bbee90 GOIM 1.1.0
73c6a317412687c2 Google Talk 1.0.0.104
b0236d03c0627ac4 ICQ 5.1 / ICQLite Build 1068
a5db18f617e28a51 ICQ 6.5 (Build 2024)
2417caa1f2a881d4 ICQ 7.6 (Build 5617)
recognized VM inSpeak 7.2.0.540
989d7545c2b2e7b2 IMVU 465.8.0.0
a3e0d98f5653b539 Instantbird 1.0 (20110623121653) (JL support)
bcc705f705d8132b Instan-t 5.2 (Build 2824)
6059df4b02360af Kadu 0.10.0 / 0.6.5.5
c312e260e424ae76 Mail.Ru Agent 5.8 (JL support)
22cefa022402327d Meca Messenger 5.3.0.52
(portable) Mercury Messenger (portable)
86b804f7a28a3c17 Miranda IM 0.6.8 / 0.7.6 / 0.8.27 / 0.9.9 / 0.9.29 (ANSI + Unicode)
b868d9201b866d96 Microsoft Lync 4.0.7577.0
8c816c711d66a6b5 MSN Messenger 6.2.0137 / 7.0.0820
(portable) MSNPSharp (portable)
2d1658d5dc3cbe2d MySpaceIM 1.0.823.0 Beta
bf9ae1f46bd9c491 Nimbuzz 2.0.0 (rev 6266)
fb7ca8059b8f2123 ooVoo 3.0.7.21
efb08d4e11e21ece Paltalk Messenger 10.0 (Build 409)
4f24a7b84a7de5a6 Palringo 2.6.3 (r45983)
e93dbdcede8623f2 Pandion 2.6.106
aedd2de3901a77f4 Pidgin 2.0.0 / 2.10.0 / 2.7.3
c5236fd5824c9545 PLAYXPERT 1.0.140.2822
dee18f19c7e3a2ec PopNote 5.21
1a60b1067913516a Psi 0.14
e0532b20aa26a0c9 QQ International 1.1 (2042)
3c0022d9de573095 QuteCom 2.2
93b18adf1d948fa3 qutIM 0.2
e0246018261a9ccc qutIM 0.2.80.0
2aa756186e21b320 RealTimeQuery 3.2
521a29e5d22c13b4 Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117
70b52cf73249257 Sococo 1.5.0.2274
d41746b133d17456 Tkabber 0.11.1
c8aa3eaee3d4343d Trillian 0.74 / 3.1 / 4.2.0.25 / 5.0.0.35 (JL support)
d7d647c92cd5d1e6 uTalk 2.6.4 r47692
36c36598b08891bf Vovox 2.5.3.4250
884fd37e05659f3a VZOchat 6.3.5
3461e4d1eb393c9c WTW 0.8.18.2852 / 0.8.19.2940
f2cb1c38ab948f58 X-Chat 1.8.10 / 2.6.9 / 2.8.9
4e0ac37db19cba15 Xfire 1.138 (Build 44507)
da7e8de5b8273a0f Yahoo Messenger 5.0.0.1226 / 6.0.0.1922
62dba7fb39bb0adc Yahoo Messenger 7.5.0.647 / 8.1.0.421 / 9.0.0.2162 / 10.0.0.1270
fb230a9fe81e71a8 Yahoo Messenger 11.0.0.2014-us
b06a975b62567622 Windows Live Messenger 8.5.1235.0517 BETA
bd249197a6faeff2 Windows Live Messenger 2011

IRC
b223c3ffbc0a7a42 Bersirc 2.2.14
c01d68e40226892b ClicksAndWhistles 2.7.146
ac8920ed05001800 DMDirc 0.6.5 (Profile store: C:\Users\$user\AppData\Roaming\DMDirc\)
d3530c5294441522 HydraIRC 0.3.165
8904a5fd2d98b546 IceChat 7.70 20101031
6b3a5ce7ad4af9e4 IceChat 9 RC2
fa496fe13dd62edf KVIrc 3.4.2.1 / 4.0.4
65f7dd884b016ab2 LimeChat 2.39
19ccee0274976da8 mIRC 4.72 / 5.61
ae069d21df1c57df mIRC 6.35 / 7.19
e30bbea3e1642660 Neebly 1.0.4
54c803dfc87b52ba Nettalk 6.7.12
dd658a07478b46c2 PIRCH98 1.0.1.1190
(portable) Quassel IRC 0.7.1 (portable)
6fee01bd55a634fe Smuxi 0.8.0.0
2a5a615382a84729 X-Chat 2 2.8.6-2

Usenet Newsreaders
ace8715529916d31 40tude Dialog 2.0.15.1 (Beta 38)
cc76755e0f925ce6 AllPicturez 1.2
36f6bc3efe1d99e0 Alt.Binz 0.25.0 (Build 27.09.2007)
d53b52fb65bde78c Android Newsgroup Downloader 6.2
c845f3a6022d647c Another File 2.03 (Build 2/7/2004)
780732558f827a42 AutoPix 5.3.3
baea31eacd87186b BinaryBoy 1.97 (Build 55)
eab25958dbddbaa4 Binary News Reaper 2 (Beta 0.14.7.448)
bf483b423ebbd327 Binary Vortex 5.0
36801066f71b73c5 Binbot 2.0
13eb0e5d9a49eaef Binjet 3.0.2
8172865a9d5185cb Binreader 1.0 (Beta 1)
6224453d9701a612 BinTube 3.7.1.0 (requires VLC 10.5!)
cf6379a9a987366e Digibin 1.31
43886ba3395acdcc Easy Post 3.0
cfab0ec14b6f953 Express NewsPictures 2.41 (Build 08.05.07.0)
7526de4a8b5914d9 Forte Agent 6.00 (Build 32.1186)
c02baf50d02056fc FotoVac 1.0
3ed70ef3495535f7 Gravity 3.0.4
86781fe8437db23e Messenger Pro 2.66.6.3353
f920768fe275f7f4 Grabit 1.5.3 Beta (Build 909) / 1.6.2 (Build 940) / 1.7.2 Beta 4 (Build 997)
9f03ae476ad461fa GroupsAloud 1.0
d0261ed6e16b200b News File Grabber 4.6.0.4
8211531a7918b389 Newsbin Pro 6.00 (Build 1019) (JL support)
d1fc019238236806 Newsgroup Commander Pro 9.05
186b5ccada1d986b NewsGrabber 3.0.36
4d72cfa1d0a67418 Newsgroup Image Collector
92f1d5db021cd876 NewsLeecher 4.0 / 5.0 Beta 6
d7666c416cba240c NewsMan Pro 3.0.5.2
7b2b4f995b54387d News Reactor 20100224.16
cb984e3bc7faf234 NewsRover 17.0 (Rev.0)
c98ab5ccf25dda79 NewsShark 2.0
dba909a61476ccec NewsWolf 1.41
2b164f512891ae37 NewsWolf NSListGen
cb1d97aca3fb7e6b Newz Crawler 1.9.0 (Build 4100)
3be7b307dfccb58f NiouzeFire 0.8.7.0
de76415e0060ce13 Noworyta News Reader 2.9
cd40ead0b1eb15ab NNTPGrab 0.6.2
d5c02fc7afbb3fd4 NNTPGrab 0.6.2 Server
a4def57ee99d77e9 Nomad News 1.43
3f97341a65bac63a Ozum 6.07 (Build 6070)
bfe841f4d35c92b1 QuadSucker/News 5.0
web-based sabnzbd 0.6.8
d3c5cf21e86b28af SeaMonkey 2.3.3
7a7c60efd66817a2 Spotnet 1.7.4
eb3300e672136bc7 Stream Reactor 1.0 Beta 9 (uses VLC!)
3168cc975b354a01 Slypheed 3.1.2 (Build 1120)
776beb1fcfc6dfa5 Thunderbird 1.0.6 (20050716) / 3.0.2
3d877ec11607fe4 Thunderbird 6.0.2
7192f2de78fd9e96 TIFNY 5.0.3
9dacebaa9ac8ca4e TLNews Newsreader 2.2.0 (Build 2430)
7fd04185af357bd5 UltraLeeacher 1.7.0.2969 / 1.8 Beta (Build 3490)
aa11f575087b3bdc Unzbin 2.6.8
pay only Usenet Explorer 3.3 (pay)
d7db75db9cdd7c5d Xnews 5.04.25

System Cleaners
ed7a5cc3cca8d52a CCleaner 1.32.345 / 1.41.544 / 2.36.1233 / 3.10.1525
eb7e629258d326a1 WindowWasher 6.6.1.18

Caveats/Discoveries

Portable Applications
Throughout my testing, there were quite a few cases in which an AppID couldn't be identified on account of the application in question being "portable." Of course, what I mean by this is that the application was not bundled through an installer; instead, all of the configuration files/libraries were contained within a compressed archive upon download. It should be made clear that this is by no means a reason to disregard these applications. Just because an application is portable doesn't rule out the potential of finding and tracing its Jump List files. The fact that you know the application is portable is a step in the right direction. And as I mentioned in Part 1, there are solutions for the portable application "problem."

On that note, if you discover an AppID that is not found within these lists or ForensicsWiki list, be sure to parse the autoDest files instead of tossing it aside and deeming it insignificant. I say this because, as lengthy as these lists are getting, they are still far from complete. There's a lot of information out there on parsing and analyzing the Jump List files themselves, so finding out to which application the evidence AppID belongs -- without an AppID reference list -- is most certainly possible.

Multiple Version Testing
I noted this before, but there were many instances in which multiple versions of the same application were tested and documented. The reason for this was that some applications -- especially long-running and prevalent ones -- experience huge changes throughout their development cycles. A version jump could make a huge difference in how the application runs or is built. With that said, a version jump might cause an AppID alteration. If you look through the list, the evidence for this is pretty clear; different versions yield different AppIDs. This isn't always the case, but it does happen on occasion. I made sure to test as many versions of the applications as I could to see whether or not version changes affected the AppID. The results varied; some changed with every version jump (e.g. WiseFTP) while others stayed consistent throughout every release (e.g. BitSpirit).

AppID Length
Speaking of AppID analysis, I noticed that not all AppIDs share the same character length. For example, Skype yielded a 16-character AppID (521a29e5d22c13b4) while Paint 6.1 SP1 and Shareaza 8 yielded 15-character AppIDs (b3f13480c2785ae and b48ce76eda60b97, respectively). There were even a few that were 13 characters in length, believe it or not (AIM 7.5.11.9 - 6f647f9488d7a and fulDC 6.78 - 98b0ef1c84088). The reason I'm mentioning this is because I had remembered reading somewhere that the AppID was always 16-characters in length. It turns out that this was written in Alex Barnett's "Forensic Value of Windows 7 Jump Lists." It states:
Jump List file names, while appearing to be a random string of characters, always follow the format 16 characters dot automaticDestinations-ms or customDestinations-ms...
This is inaccurate, as shown by the many < 16-character AppIDs in the above lists. While the majority of AppIDs are 16-characters in length, not all of them are. Don't get me wrong, though -- Alex's writeup is phenomenal and well worth a focused read. It was one of the pioneer articles about Jump List forensics and details how one can discover whether or not illegal images were uploaded or downloaded based off of Jump List artifacts. Be sure to check it out; the above quote is the only thing that even came close to bothering me about the writeup.

Hover Menu + Fun Discoveries
Another thing I noticed throughout my testing was that it was common for IM clients and media players to pop up a little "available status" or music playback bar upon hovering over the taskbar icon. As far as I could tell, there was no Jump List file activity upon performing this action, but it's good to note based on the fact that almost every application that had this feature also had full Jump List support (showed MRUs/MFUs/Tasks).

Here's yet another fun little piece of testing treasure I found: one application was actually aware that it was running inside of a virtual machine and refused to install as a result. Stubborn! Though, it makes you wonder how sophisticated some malware might be if IM clients can detect living inside of a VM...

Yet ANOTHER odd bit that came from the testing session was the fact that Bearshare, iMesh, Shareaza, and Lphant are all pretty much exactly the same application save the color scheme and name label swap. I made an animated gif to illustrate.

Reverse Engineering IM Protocols
Finally, the last discovery made was that of IMfreedom.org. I actually stumbled upon that on accident in my quest to find more IM clients. A wiki for reverse engineering IM protocols is hosted there; it is tremendously detailed. Neat stuff.

Conclusion


There was some interesting discussion about what should be the main goal for future Jump List forensics. Jamie L suggested that the algorithm behind the Windows AppID calculation should be defined -- something with which I completely agree. Being able to calculate an AppID on the fly based on known conditions would make things a whole lot easier and much more efficient. It's just a matter of getting to that point and being able to make use of the process by which it's done.

It's been great to see so much activity regarding Jump List forensics recently. But as with many other pieces of forensic goodness, it could use some more research. Whether it's analyzing the AppID calculation algorithm or adding to the growing AppID reference list, any development is much appreciated. There will always be new software releases, so that list is bound to grow. The key point to take away from this, however, is that with more software comes more avenues for forensic analysis -- not only in terms of Jump Lists, but in general. There will never be a shortage of applications to analyze. I think Kazaa said it best, and I'm sure digital forensics analysts worldwide are excited to acknowledge this fact. I know I am.


-Dan (@4n6k)

References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs
8. IMfreedom.org -- Reverse Engineered IM protocol wiki
Posted by 4n6k at 3:09 PM 0 comments Links to this post
Labels: , , , , , , , ,

Wednesday, September 7, 2011

Jump List Forensics: AppIDs Part 1

Well, I felt it was about time to get a blog up and running. Everything I've learned on the subject of digital forensics has been a direct result of reading forensics books, blogs, and list-serv responses written by people like Ken Pryor, Harlan Carvey, Eoghan Casey, Lee Whitfield, Brad Garnett, David Kovar, Andrew Case, Rob Lee, Dave Hull, Dan O'Day, Shafik Punja, Frank McClain, Cory Altheide, Joe Garcia, Hal Pomeranz, *deep breath* Troy Larson, Andrew Hoog, Eric Huber, Luby Novitovic, Michael Hale Ligh, Alex Bond, Jimmy Weg, Corey Harrell, Dan Farmer, Larry E. Daniel, Jamie Levy, Tom Yarrish, Andreas Schuster, Loc Nguyen, and many more (I know I've forgotten some; I apologize in advance). So I just wanted to start off with a quick 'thank you,' as you've all driven me to this point. Your work is very much appreciated.

----------------------------------

Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.

Jump List Summary

Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.

Windows Media Player's Jump List. Right-clicking the icon displays this.

The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar. When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:

*.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations).

Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.

The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.

Forensic Value (or Why It's Important)

Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
  • Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) files opened by the user/application
  • Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) tasks used by the user/application and subsequently how the application was used
  • Lists of most recently or frequently accessed website URLs (browser Jump Lists)
  • If an application was installed or used/run (AutoDest Jump List files stay intact after application uninstall - tested with VLC 1.1.11)
  • If a user distributed (uploaded) or only acquired (downloaded) illegal images3
The forensic research on Jump Lists has been greatly undeveloped until recently. Luckily, we've seen some activity and tools created to parse Jump Lists, as they are some of the most valuable resources in analyzing user activity.


Jump List AppIDs

All applications are 32-bit. Tested on Windows 7 Professional SP1.

Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.


Internet Browsers
5d696d521de238c3 Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215
cfb56c56fa0f0a54 Mozilla 0.9.9
5c450709f7ae4396 Firefox 1.0 / 2.0 / 3.0
5df4765359170e26 Firefox 4.0.1
1eb796d87c32eff9 Firefox 5.0
1461132e553e2e6c Firefox 6.0
28c8b86deab549a1 Internet Explorer 8 / 9
16ec093b8f51508f Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074
8a1c1c7c389a5320 Safari 3.2.3 (525.29)
1da3c90a72bf5527 Safari 4.0.5 (531.22.7) / 5.1 (7534.50)

Utilities
3dc02b55e44d6697 7-Zip 3.13 / 4.20
4975d6798a8bdf66 7-Zip 4.65 / 9.20
4b6925efc53a3c08 BCWipe 5.02.2 Task Manager 3.02.3
337ed59af273c758 Sticky Notes
290532160612e071 WinRAR 2.90 / 3.60 / 4.01
c9950c443027c765 WinZip 9.0 SR-1 (6224) / 10.0 (6667)
b74736c2bd8cc8a5 WinZip 15.5 (9468)
bc0c37e84e063727 Windows Command Processor - cmd.exe (32-bit)

Image/Document Viewers
f0468ce1ae57883d Adobe Reader 7.1.0
c2d349a0e756411b Adobe Reader 8.1.2
23646679aaccfae0 Adobe Acrobat 9.4.0
ee462c3b81abb6f6 Adobe Reader X 10.1.0
386a2f6aa7967f36 EyeBrowse 2.7
e31a6a8a7506f733 Image AXS Pro 4.1
b39c5f226977725d ACDSee Pro 8.1.99
59f56184c796cfd4 ACDSee Photo Manager 10 (Build 219)
8bd5c6433ca967e9 ACDSee Photo Manager 2009 (v11.0 Build 113)
d838aac097abece7 ACDSee Photo Manager 12 (Build 344)
b3f13480c2785ae Paint 6.1 (build 7601: SP1)
7cb0735d45243070 CDisplay 1.8.1.0
3594aab44bca414b Windows Photo Viewer
3edf100b207e2199 digiKam 1.7.0 (KDE 4.4.4)
169b3be0bc43d592 FastPictureViewer Professional 1.6 (Build 211)
e9a39dfba105ea23 FastStone Image Viewer 4.6
edc786643819316c HoneyView3 #5834
76689ff502a1fd9e Imagine Image and Animation Viewer 1.0.7
2519133d6d830f7e IMatch 3.6.0.113
1110d9896dceddb3 imgSeek 0.8.5
c634153e7f5fce9c IrfanView 3.10 / 4.30
ea83017cdd24374d IrfanView Thumbnails
3917dd550d7df9a8 Konvertor 4.06 (Build 10)
2fa14c7753239e4c Paint.NET 2.72 / 3.5.8.4081.24580
d33ecf70f0b74a77 Picasa 2.2.0 (Build 28.08, 0)
b17d3d0c9ca7e29 Picasa 3.8.0 (Build 117.43, 0)
Embedded in IE Prizm Viewer
depends on Location Scientific and Technical Document Viewer 1.6.2 Portable (STDU)
c5c24a503b1727df XnView 1.98.2 Small / 1.98.2 Standard
497b42680f564128 Zoner PhotoStudio 13 (Build 7)

Media Players
d22ad6d9d20e6857 ALLPlayer 4.7
7494a606a9eef18e Crystal Player 1.98
1cffbe973a437c74 DSPlayer 0.889 Lite
817bb211c92fd254 GOM Player 2.0.12.3375 / 2.1.28.5039
6bc3383cb68a3e37 iTunes 7.6.0.29 / 8.0.0.35
83b03b46dcd30a0e iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability)
fe5e840511621941 JetAudio 5.1.9.3018 Basic / 6.2.5.8220 Basic / 7.0.0 Basic / 8.0.16.2000 Basic
a777ad264b54abab JetVideo 8.0.2.200 Basic
3c93a049a30e25e6 J. River Media Center 16.0.149
4a49906d074a3ad3 Media Go 1.8 (Build 121)
1cf97c38a5881255 MediaPortal 1.1.3
Depends on location Media Player Classic 6.4.8.9 (is portable)
Depends on location Media Player Classic - Home Cinema 1.5.2.3456 (default install is \Users\user\ dir, so dynamic)
62bff50b969c2575 Quintessential Media Player 5.0 (Build 121) - also usage stats (times used, tracks played, total time used)
b50ee40805bd280f QuickTime Alternative 1.9.5 (Media Player Classic 6.4.9.1)
ae3f2acd395b622e QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13)
7593af37134fd767 RealPlayer 6.0.6.99 / 7 / 8 / 10.5
37392221756de927 RealPlayer SP 12
f92e607f9de02413 RealPlayer 14.0.6.666
6e9d40a4c63bb562 Real Player Alternative 1.25 (Media Player Classic 6.4.8.2 / 6.4.9.0)
c91d08dcfc39a506 SM Player 0.6.9 r3447
e40cb5a291ad1a5b Songbird 1.9.3 (Build 1959)
4d8bdacf5265a04f The KMPlayer 2.9.4.1434
4acae695c73a28c7 VLC 0.3.0 / 0.4.6
9fda41b86ddcf1db VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11
e6ee34ac9913c0a9 VLC 0.6.2
cbeb786f0132005d VLC 0.7.2
f674c3a77cfe39d0 Winamp 2.95 / 5.1 / 5.621
90e5e8b21d7e7924 Winamp 3.0d (Build 488)
74d7f43c1561fc1e Windows Media Player 12.0.7601.17514


Caveats

There are a few things to consider when analyzing Jump Lists.

Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).

The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.

Further Research

There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.

Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.

-Dan (@4n6k)

References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs
Posted by 4n6k at 6:40 PM 10 comments Links to this post
Labels: , ,