Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.
Jump List Summary
Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.
|Windows Media Player's Jump List. Right-clicking the icon displays this.|
The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar. When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:
*.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations).
Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.
The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.
Forensic Value (or Why It's Important)
Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) files opened by the user/application
- Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) tasks used by the user/application and subsequently how the application was used
- Lists of most recently or frequently accessed website URLs (browser Jump Lists)
- If an application was installed or used/run (AutoDest Jump List files stay intact after application uninstall - tested with VLC 1.1.11)
- If a user distributed (uploaded) or only acquired (downloaded) illegal images3
The forensic research on Jump Lists has been greatly undeveloped until recently. Luckily, we've seen some activity and tools created to parse Jump Lists, as they are some of the most valuable resources in analyzing user activity.
Jump List AppIDs
All applications are 32-bit. Tested on Windows 7 Professional SP1.
Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.
|5d696d521de238c3||Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215|
|5c450709f7ae4396||Firefox 1.0 / 2.0 / 3.0|
|28c8b86deab549a1||Internet Explorer 8 / 9|
|16ec093b8f51508f||Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074|
|8a1c1c7c389a5320||Safari 3.2.3 (525.29)|
|1da3c90a72bf5527||Safari 4.0.5 (531.22.7) / 5.1 (7534.50)|
|3dc02b55e44d6697||7-Zip 3.13 / 4.20|
|4975d6798a8bdf66||7-Zip 4.65 / 9.20|
|4b6925efc53a3c08||BCWipe 5.02.2 Task Manager 3.02.3|
|290532160612e071||WinRAR 2.90 / 3.60 / 4.01|
|c9950c443027c765||WinZip 9.0 SR-1 (6224) / 10.0 (6667)|
|b74736c2bd8cc8a5||WinZip 15.5 (9468)|
|bc0c37e84e063727||Windows Command Processor - cmd.exe (32-bit)|
|f0468ce1ae57883d||Adobe Reader 7.1.0|
|c2d349a0e756411b||Adobe Reader 8.1.2|
|23646679aaccfae0||Adobe Acrobat 9.4.0|
|ee462c3b81abb6f6||Adobe Reader X 10.1.0|
|e31a6a8a7506f733||Image AXS Pro 4.1|
|b39c5f226977725d||ACDSee Pro 8.1.99|
|59f56184c796cfd4||ACDSee Photo Manager 10 (Build 219)|
|8bd5c6433ca967e9||ACDSee Photo Manager 2009 (v11.0 Build 113)|
|d838aac097abece7||ACDSee Photo Manager 12 (Build 344)|
|b3f13480c2785ae||Paint 6.1 (build 7601: SP1)|
|3594aab44bca414b||Windows Photo Viewer|
|3edf100b207e2199||digiKam 1.7.0 (KDE 4.4.4)|
|169b3be0bc43d592||FastPictureViewer Professional 1.6 (Build 211)|
|e9a39dfba105ea23||FastStone Image Viewer 4.6|
|76689ff502a1fd9e||Imagine Image and Animation Viewer 1.0.7|
|c634153e7f5fce9c||IrfanView 3.10 / 4.30|
|3917dd550d7df9a8||Konvertor 4.06 (Build 10)|
|2fa14c7753239e4c||Paint.NET 2.72 / 184.108.40.20681.24580|
|d33ecf70f0b74a77||Picasa 2.2.0 (Build 28.08, 0)|
|b17d3d0c9ca7e29||Picasa 3.8.0 (Build 117.43, 0)|
|Embedded in IE||Prizm Viewer|
|depends on Location||Scientific and Technical Document Viewer 1.6.2 Portable (STDU)|
|c5c24a503b1727df||XnView 1.98.2 Small / 1.98.2 Standard|
|497b42680f564128||Zoner PhotoStudio 13 (Build 7)|
|7494a606a9eef18e||Crystal Player 1.98|
|1cffbe973a437c74||DSPlayer 0.889 Lite|
|817bb211c92fd254||GOM Player 220.127.116.1175 / 18.104.22.16839|
|6bc3383cb68a3e37||iTunes 22.214.171.124 / 126.96.36.199|
|83b03b46dcd30a0e||iTunes 188.8.131.52 / 184.108.40.206 / 10.4.1.10 (begin custom 'Tasks' JL capability)|
|fe5e840511621941||JetAudio 220.127.116.1118 Basic / 18.104.22.16820 Basic / 7.0.0 Basic / 22.214.171.1240 Basic|
|a777ad264b54abab||JetVideo 126.96.36.199 Basic|
|3c93a049a30e25e6||J. River Media Center 16.0.149|
|4a49906d074a3ad3||Media Go 1.8 (Build 121)|
|Depends on location||Media Player Classic 188.8.131.52 (is portable)|
|Depends on location||Media Player Classic - Home Cinema 184.108.40.20656 (default install is \Users\user\ dir, so dynamic)|
|62bff50b969c2575||Quintessential Media Player 5.0 (Build 121) - also usage stats (times used, tracks played, total time used)|
|b50ee40805bd280f||QuickTime Alternative 1.9.5 (Media Player Classic 220.127.116.11)|
|ae3f2acd395b622e||QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13)|
|7593af37134fd767||RealPlayer 18.104.22.168 / 7 / 8 / 10.5|
|37392221756de927||RealPlayer SP 12|
|6e9d40a4c63bb562||Real Player Alternative 1.25 (Media Player Classic 22.214.171.124 / 126.96.36.199)|
|c91d08dcfc39a506||SM Player 0.6.9 r3447|
|e40cb5a291ad1a5b||Songbird 1.9.3 (Build 1959)|
|4d8bdacf5265a04f||The KMPlayer 188.8.131.524|
|4acae695c73a28c7||VLC 0.3.0 / 0.4.6|
|9fda41b86ddcf1db||VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11|
|f674c3a77cfe39d0||Winamp 2.95 / 5.1 / 5.621|
|90e5e8b21d7e7924||Winamp 3.0d (Build 488)|
|74d7f43c1561fc1e||Windows Media Player 12.0.7601.17514|
There are a few things to consider when analyzing Jump Lists.
Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).
The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.
There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.
Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs