For this portion of the Case Experience, I will be using EnCase v6.18 and Jump List Parser code from Harlan Carvey. However, many other tools can be used to look at the same areas of interest.
In Windows systems, when a user opens a file, a link file will be created in that user's Recent folder. The link file will be named with the target file name, with the addition of a .LNK extension. In EnCase, the target file path can be found in the column called "Symbolic Link." Below is an excerpt of link files found in the Recent folder from our case study of Kilroy:
|You may want to click on the image to better read the information... I played |
around with it and this is the best I could do... sorry!
We found some good stuff, but we aren't done with the Recent folder just yet. Because in Windows7, this folder also contains Jump Lists. (If you want a more detailed description of jump lists and what they are, there are multiple sites available online, including a page on the forensics wiki and this post by Harlan.) Let's take a look at one of the JL's to see if we can find anything interesting. Looking in the AutomaticDestinations folder, we see that there is a JL called 9c7cc110ff56d1bd.automaticDestinations-ms. Comparing this to the Jump List IDs on the Forensics wiki, we can see that this particular jump list is associated with Microsoft Office Powerpoint 2010. To parse the information in this file, I chose to use the jump list parser mentioned above. This is a perl module, so to run the script you must have perl installed. In order to run the script on my Windows system against the mounted image of the system (mounted to the I: drive), I typed:
jl2.pl I:\Users\Kilroy\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9c7cc110ff56d1bd.automaticDestinations-ms > pptjlreport.txt
Opening the pptjlreport.txt shows the following information:
Given the link files that we found, this information isn't earth-shattering, but it is still a good idea to check these kinds of artifacts for a few reasons: 1) it corroborates findings found in other artifacts, thus strengthening your case; 2) you may find additional information here that wasn't in the link files or other various artifacts; and 3) looking in multiple locations reduces the chance of anti-forensics being successful on a case you are analyzing. UPDATE: I should have mentioned that one of the contextual additions to looking at jump lists is that they show not just when and that a file was opened, but they show what program was used to open a file. Depending on the case, this could be of interest. Also, Corey at JIIR has a great example of how Jump Lists provided more information than he was able to get from looking at link files.
Well, I think that is about it for now. Stay tuned... next stop, Windows Registry!