Wednesday, September 7, 2011

Jump List Forensics: AppIDs Part 1

Well, I felt it was about time to get a blog up and running. Everything I've learned on the subject of digital forensics has been a direct result of reading forensics books, blogs, and list-serv responses written by people like Ken Pryor, Harlan Carvey, Eoghan Casey, Lee Whitfield, Brad Garnett, David Kovar, Andrew Case, Rob Lee, Dave Hull, Dan O'Day, Shafik Punja, Frank McClain, Cory Altheide, Joe Garcia, Hal Pomeranz, *deep breath* Troy Larson, Andrew Hoog, Eric Huber, Luby Novitovic, Michael Hale Ligh, Alex Bond, Jimmy Weg, Corey Harrell, Dan Farmer, Larry E. Daniel, Jamie Levy, Tom Yarrish, Andreas Schuster, Loc Nguyen, and many more (I know I've forgotten some; I apologize in advance). So I just wanted to start off with a quick 'thank you,' as you've all driven me to this point. Your work is very much appreciated.

----------------------------------
[UPDATE #01 03/15/2016]: A new AppID Master List has been created. See this post for more information.
----------------------------------

Before I get into the bulk of this post, I'd like to divert your attention to Harlan Carvey's research on Jump List Analysis [part 1] [part 2]. Much of what I'll be covering here is detailed within these posts, so make sure you take a look at them. I just don't want to repeat what's already been said; Harlan does a great job of explaining the concepts. You can also check out the list of references at the bottom of this post to get your Jump List and AppID info fix.

Jump List Summary

Just to preface the AppID findings, I'll shed some light on what a Jump List actually is. Remember, check out Harlan's posts and the references section for more detail.

Windows Media Player's Jump List. Right-clicking the icon displays this.

The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar. When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:

*.automaticDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\automaticDestinations)
*.customDestinations-ms files (in %appdata%\Roaming\Microsoft\Windows\Recent\customDestinations).

Note: these directories are hidden. You have to type in the full path in the address bar to see their contents.

The '*' in the above examples is where the Application ID (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application's AppID can help identify any given application when user activity is of great importance in an investigation.

Forensic Value (or Why It's Important)

Alright, so we have the Jump List file and its contents. Now what? Why is this important? Well, you can use them to find the following:
  • Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) files opened by the user/application
  • Lists of Most Recently Used (MRU) or Most Frequently Used (MFU) tasks used by the user/application and subsequently how the application was used
  • Lists of most recently or frequently accessed website URLs (browser Jump Lists)
  • If an application was installed or used/run (AutoDest Jump List files stay intact after application uninstall - tested with VLC 1.1.11)
  • If a user distributed (uploaded) or only acquired (downloaded) illegal images3
The forensic research on Jump Lists has been greatly undeveloped until recently. Luckily, we've seen some activity and tools created to parse Jump Lists, as they are some of the most valuable resources in analyzing user activity.


Jump List AppIDs

All applications are 32-bit. Tested on Windows 7 Professional SP1.

Note: Several versions of the same application were tested in many cases; just because it's the same application doesn't mean it will have the same AppID.


Internet Browsers
5d696d521de238c3 Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215
cfb56c56fa0f0a54 Mozilla 0.9.9
5c450709f7ae4396 Firefox 1.0 / 2.0 / 3.0
5df4765359170e26 Firefox 4.0.1
1eb796d87c32eff9 Firefox 5.0
1461132e553e2e6c Firefox 6.0
28c8b86deab549a1 Internet Explorer 8 / 9
16ec093b8f51508f Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074
8a1c1c7c389a5320 Safari 3.2.3 (525.29)
1da3c90a72bf5527 Safari 4.0.5 (531.22.7) / 5.1 (7534.50)

Utilities

3dc02b55e44d6697 7-Zip 3.13 / 4.20
4975d6798a8bdf66 7-Zip 4.65 / 9.20
4b6925efc53a3c08 BCWipe 5.02.2 Task Manager 3.02.3
337ed59af273c758 Sticky Notes
290532160612e071 WinRAR 2.90 / 3.60 / 4.01
c9950c443027c765 WinZip 9.0 SR-1 (6224) / 10.0 (6667)
b74736c2bd8cc8a5 WinZip 15.5 (9468)
bc0c37e84e063727 Windows Command Processor - cmd.exe (32-bit)

Image/Document Viewers

f0468ce1ae57883d Adobe Reader 7.1.0
c2d349a0e756411b Adobe Reader 8.1.2
23646679aaccfae0 Adobe Acrobat 9.4.0
ee462c3b81abb6f6 Adobe Reader X 10.1.0
386a2f6aa7967f36 EyeBrowse 2.7
e31a6a8a7506f733 Image AXS Pro 4.1
b39c5f226977725d ACDSee Pro 8.1.99
59f56184c796cfd4 ACDSee Photo Manager 10 (Build 219)
8bd5c6433ca967e9 ACDSee Photo Manager 2009 (v11.0 Build 113)
d838aac097abece7 ACDSee Photo Manager 12 (Build 344)
b3f13480c2785ae Paint 6.1 (build 7601: SP1)
7cb0735d45243070 CDisplay 1.8.1.0
3594aab44bca414b Windows Photo Viewer
3edf100b207e2199 digiKam 1.7.0 (KDE 4.4.4)
169b3be0bc43d592 FastPictureViewer Professional 1.6 (Build 211)
e9a39dfba105ea23 FastStone Image Viewer 4.6
edc786643819316c HoneyView3 #5834
76689ff502a1fd9e Imagine Image and Animation Viewer 1.0.7
2519133d6d830f7e IMatch 3.6.0.113
1110d9896dceddb3 imgSeek 0.8.5
c634153e7f5fce9c IrfanView 3.10 / 4.30
ea83017cdd24374d IrfanView Thumbnails
3917dd550d7df9a8 Konvertor 4.06 (Build 10)
2fa14c7753239e4c Paint.NET 2.72 / 3.5.8.4081.24580
d33ecf70f0b74a77 Picasa 2.2.0 (Build 28.08, 0)
b17d3d0c9ca7e29 Picasa 3.8.0 (Build 117.43, 0)
Embedded in IE Prizm Viewer
depends on Location Scientific and Technical Document Viewer 1.6.2 Portable (STDU)
c5c24a503b1727df XnView 1.98.2 Small / 1.98.2 Standard
497b42680f564128 Zoner PhotoStudio 13 (Build 7)

Media Players

d22ad6d9d20e6857 ALLPlayer 4.7
7494a606a9eef18e Crystal Player 1.98
1cffbe973a437c74 DSPlayer 0.889 Lite
817bb211c92fd254 GOM Player 2.0.12.3375 / 2.1.28.5039
6bc3383cb68a3e37 iTunes 7.6.0.29 / 8.0.0.35
83b03b46dcd30a0e iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability)
fe5e840511621941 JetAudio 5.1.9.3018 Basic / 6.2.5.8220 Basic / 7.0.0 Basic / 8.0.16.2000 Basic
a777ad264b54abab JetVideo 8.0.2.200 Basic
3c93a049a30e25e6 J. River Media Center 16.0.149
4a49906d074a3ad3 Media Go 1.8 (Build 121)
1cf97c38a5881255 MediaPortal 1.1.3
Depends on location Media Player Classic 6.4.8.9 (is portable)
Depends on location Media Player Classic - Home Cinema 1.5.2.3456 (default install is \Users\user\ dir, so dynamic)
62bff50b969c2575 Quintessential Media Player 5.0 (Build 121) - also usage stats (times used, tracks played, total time used)
b50ee40805bd280f QuickTime Alternative 1.9.5 (Media Player Classic 6.4.9.1)
ae3f2acd395b622e QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13)
7593af37134fd767 RealPlayer 6.0.6.99 / 7 / 8 / 10.5
37392221756de927 RealPlayer SP 12
f92e607f9de02413 RealPlayer 14.0.6.666
6e9d40a4c63bb562 Real Player Alternative 1.25 (Media Player Classic 6.4.8.2 / 6.4.9.0)
c91d08dcfc39a506 SM Player 0.6.9 r3447
e40cb5a291ad1a5b Songbird 1.9.3 (Build 1959)
4d8bdacf5265a04f The KMPlayer 2.9.4.1434
4acae695c73a28c7 VLC 0.3.0 / 0.4.6
9fda41b86ddcf1db VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11
e6ee34ac9913c0a9 VLC 0.6.2
cbeb786f0132005d VLC 0.7.2
f674c3a77cfe39d0 Winamp 2.95 / 5.1 / 5.621
90e5e8b21d7e7924 Winamp 3.0d (Build 488)
74d7f43c1561fc1e Windows Media Player 12.0.7601.17514


Caveats

There are a few things to consider when analyzing Jump Lists.

Throughout my testing, I noticed that installing an application to a non-default location results in an AppID change. That is, if the application's developers did not provide a custom, static AppID and the installation directory is different from its default location, the AppID will be different from what is listed above. This clearly indicates that the AppID is calculated using the path from which the application is run (amongst other conditions). For example, when I installed the Opera browser into C:\Program Files\Opera, its AppID was calculated as 16ec093b8f51508f. When I installed it in C:\Program Files\Opera2, its AppID was calculated as e23869c0afb61102. We already knew that the path from which the program is run was a factor in how the AppID was calculated, but it's an important aspect to reiterate. This means that portable applications will rarely have a definitive AppID unless they are being run from the same drive letter and path as they were when initially executed. While this is unfortunate, there are solutions. For example, we can take a look at .lnk artifacts created upon the file's opening to find the drive letter and path to the file/application in question. Another place to look would be at the prefetch files in order find more information on the portable application (beyond the scope of this post).

The great thing about having a quasi-though-not-nearly-comprehensive list of AppIDs is that you could potentially find exactly which version of an application was running. For example, say we have a portable image viewer (STDU, for instance). If we run it from a USB flash drive, it will generate an AppID based on the file's path (among other things). We can take a look around the system to find other artifacts and place them all in a timeline. We analyze the timeline to find when the flash drive was inserted and used, analyze the timeline items around that time, determine the name and path of the application, download different versions of that application, run each version from the location we just discovered, and compare the AppID to the initial evidence AppID. I have tested this and confirmed that this is indeed possible. While this is a very roundabout way of finding out the application version, it's still a viable option -- not ideal, but viable.

UPDATE 4/30/13  If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.


Further Research

There will most definitely be a followup post to this one. I've focused upon browsers, utilities, image viewers, and media players thus far. I'll be focusing more on file-sharing, communications, and file-transfer clients in the next installment. Of course, some of that software doesn't utilize Jump Lists as much as the software listed in this post (recent files for an IRC client? I don't think so...), but it's still important to know how to identify them and their artifacts, as jump lists are created simply as a result of a right click of the taskbar.

Please leave some feedback on this post if you've got the time. I would love to see some people correct me on some things; I won't bite, I swear! In any case, thanks for reading and keep an eye out for Part 2.

-Dan (@4n6k)

References
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson)
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty)
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett)
4. Application User Model IDs (AppUserModelIDs) (by MSDN)
5. Developing for the Windows 7 Taskbar - Application ID (by Yochay Kiriaty)
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty)
7. ForensicsWiki List of Jump List IDs

11 comments:

Little Mac said...

Great post, Dan! IMO, you should post some of this info to http://forensicartifacts.com/. Thanks for the "thanks," too.

Brad4n6 said...

I echo Little's Mac comment. Thank you for the shout-out and I look forward to reading your contributions to the DFIR community!

4n6k said...

@Little Mac @Brad4n6: Thanks, you guys. I'll definitely get this info to forensicsartifacts along with the followup information. Glad you enjoyed it!

Jimmy_Weg said...

One easy way to check the AppID for your specific target is to boot a VM of the image and run the apps in which you have an interest. Then check for the Jump List files that were modified or examine the Jump List files to locate the files that you opened with the apps.

4n6k said...

Thanks, Jimmy. Your response on the win4n6 list-serv about apps used in CP cases really got me thinking on this AppID business, as well. I think this information would be most valuable for those types of investigations, but would serve well in general, too.

Anonymous said...

The AppID is in fact CRC64 of full name (path included) of the exe file. The function is in shell32.dll: CAutomaticDestinationList::Initialize

result = StringCchCopyW(&sz, 0x104u, a2);
if ( result >= 0 )
{
v4 = &sz;
do
{
v5 = *v4;
++v4;
}
while ( v5 );
CharUpperBuffW(&sz, (signed int)((char *)v4 - (char *)&v8) >> 1);
result = StringCbLengthW(&sz, 0x208u, &v6);
if ( result >= 0 )
{
CRC64::CRC64(&sz, v6);
result = CRC64::ToString(a1, a3);
}
}
return result;

Anonymous said...

Is ace2e449a5dfce37 is event viewer?

Rob Lyness said...

I have written an article about the potential artifacts from Windows 7 Jump Lists, including the structure of the DestList which you can find at:

http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/

Hope you find it useful.

@Anonymous - I suspected the AppID was a CRC64. How did you find that out?

4n6k said...

If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated.

http://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/

Aryan Smith said...

I'll definitely get this info to forensicsartifacts along with the followup information.
Outdoor Sheds Miami

Delta Smith said...

I do not pretend to understand the jargon above, in a layman's terms, Is it possible to simply copy the Automatic Destinations from a windows 7 system to a new install windows 8?

Post a Comment