Forensic Analysis of Windows 7 JumpLists

Posted by roblyness⋅ October 30, 2012 ⋅Leave a Comment

Forensic Analysis of Windows 7 Jump Lists

Abstract

The release of Microsoft Windows 7 introduced a new feature known as Jump Lists which present the user with links to recently accessed files grouped on a per application basis. The records maintained by the feature have the potential to provide the forensic computing examiner with a rich source of evidence during examinations of computers running the Microsoft Windows 7 Operating System. This paper explores the type and level of information recorded by the Jump List feature, the structure of those records and the user actions which result in them being updated.

Introduction

The content of this article is based upon an MSc Thesis submitted by the author to Cranfield University in February 2012 but has been supplemented with observations and findings from analysis of Jump List files in actual investigations.

The article focuses primarily on artefacts relating to file accesses and although additional Jump List data relating to the use of individual programs has no focus in this paper, some work in this area has been conducted by Barnett (undated).

The Jump List feature provides the user with a graphical interface associated with each installed application which lists files that have been previously accessed by that application. An example of that interface is shown at Fig. 1.

Fig. 1 – Example of Jump List associated with Microsoft Paint.

As indicated in Fig. 1, it is also possible for a user to ‘pin’ items in order to retain them on a list.

The feature is enabled as standard and the default setting is to show the 10 most recently accessed files per application, although it is possible to adjust that figure to a maximum of 60.

Configuration changes can be achieved by a right mouse click on the Windows Logo button > Properties which reveals a dialog box similar to that shown at Fig. 2 which can be used to enable/disable the Jump List feature.

Fig. 2 – Example of Windows 7 ‘Taskbar and Start Menu Properties’ Dialog box.

The number of items to be displayed on a Jump List can be adjusted through clicking of the ‘Customize…’ button which reveals a second dialog box, similar to that shown at Fig. 3

Fig. 3 – Example of Windows 7 ‘Customize Start Menu’ Dialog Box.

Background Information

During the initial stages of the original project research was conducted in an attempt to identify what was already known about the topic of Jump Lists.

Whilst it was found that information available in the public domain was limited, some useful material was identified:

  1. Torres (2011) indicates that records of the items pinned to the Taskbar are stored in the directory ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar’.
  2. AccessData’s Registry Quick Find Chart (2010) indicated that details of applications that have been pinned to the Taskbar are also recorded in the Windows Registry values ‘Favorites’ and ‘FavoritesResolve’ at ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband’ and that details of applications subsequently removed are retained within those Registry values.
  3. Larson (undated) explains that details of accessed files are held within structured storage (Compound Binary) files which themselves are stored within the user’s profile at the location ‘%systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations’ and notes the following:
  4. The files are named with 16 hexadecimal digits, known as the AppID followed by the file extension ‘automaticDestinations-ms’.
  5. The AppID can be set by the application or by the OS at application runtime. (MSDN, 2011).
  6. A list of known AppIDs can be found at
  7. The majority of records within the Compound Binary file are named with a hexadecimal numeric value and are structured in accordance with the shortcut (link) file specification.
  8. A further entry entitled‘DestList’, is also present and although this element is structured, there is little information available relating to that structure or the information contained within these elements although it was clear that they do not follow the Shortcut specification.
  9. Carvey (2011) details a small proportion of the structure, including a 64 bit ’FILETIME’ object and indicates that there are further byte sequences present within the‘DestList’.
  10. The specifications for both Compound Binary (MSDN, 2010 (a)) and Shortcut files (MSDN, 2010 (b)) are documented online and a number of tools are available to extract the individual elements from Compound Binary files, for example SSView ( OffVis ( and JumpLister ( however, none of these tools will fully parse the‘DestList’element within a Jump List file.
  11. Ard (2007) states that Jump Lists record the number of times that a file is opened.
  12. Li (2011) reports that the number of items to be shown on a Jump List is stored within the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Experimental Setup and Program.

All experimentation was conducted in a virtual environment. Based upon available resources at the time of the research, this was achieved using VMWare Workstation 7.1.3 and a retail copy of Windows 7 Ultimate (x64) with no Service Packs.

The virtual machine was created with two attached virtual disks formatted with the NTFS file system; the first to hold the Operating System and the second to store a series of specimen text, picture, music and video files.

The date and time settings of the virtual machine and all clones made from it were deliberately maintained in British Summer Time (GMT+1) in order to assist in how dates and times are recorded by Jump Lists.

The experiments that were conducted were designed to address specific points with a view to understanding the full structure of the records maintained by Jump Lists and were broken down into specific objectives.

Identify initial Jump List data.

The first stage in this process was to carry out a fresh installation of Windows 7. The virtualisation software was used to capture a snapshot at the completion of the installation, a second after an account was created and a third after being presented with the option to apply a password or not. Finally the process was allowed to complete by logging the newly created user on for the first time after which the VM was shut down without accessing any files.

This experiment was carried out twice; once where a password was applied and once without.

All further experimentation was based upon clones of the VM where a password was applied to the user account and various tests were conducted to change the configuration of the feature and update the records maintained by it.

Modify configuration settings.

This was achieved by accessing the ‘Customize Start Menu’ dialog box as depicted in Fig. 3 and changing the default values to 15 (for number of programs) and 20 (for number of recent Jump List items).

The next step was to use the ‘regedit’ application to access the Registry key identified by Li (2011) before changing the data of the value ‘Start_JumpListItems’ to 25 (0×19) before closing regedit and accessing the relevant dialog box again to note the displayed values.

Finally, the ‘Use Default Settings’ button was used to return both displayed values to 10.

Open files.

A number of the sample files held on the second virtual hard disk were opened using applications included with Windows 7; Notepad and WordPad for text, Windows Photo Viewer and Paint for picture files, Windows Media Player and Windows Media Centre for video, sound and pictures.

Pin and Unpin items to a Jump List, Taskbar and Start Menu.

One entry each from the Jump Lists for Notepad and Paint were pinned to their respective lists.

The picture viewing program Irfanview ( and the productivity suite Microsoft Office 2007 were then installed using the default installation locations, before shortcuts to Irfanview, Microsoft Word, Notepad and Paint were pinned to the Taskbar and Start Menu.

Irfanview and Microsoft Word were used to open two picture files and two Microsoft Word documents respectively. One entry from each of the displayed Jump Lists was pinned to the list; one from the Taskbar list and the other from the Start Menu List.

Irfanview was then unpinned from the Taskbar and Start Menu and uninstalled using the relevant link found in the programs listing presented on the Start Menu.

Microsoft Office 2007 was uninstalled via the Windows Control Panel without unpinning Microsoft Word from either the Taskbar or Start Menu.

Delete Jump List data.

A number of methods of deleting the entries from a Jump List were tested;

  1. Manually selecting each entry through a right mouse click > ‘Remove from this list’ option.
  2. Deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box (see Fig. 2).
  3. Navigating to the ‘AutomaticDestinations’ directory and deleting the Compound Binary Files through Windows Explorer.
  4. From a command prompt with the command ‘del C:\Users\Win7x64JL\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\* /Q’.

Establish the order of file accesses.

This experiment consisted of three steps;

  1. Open a series of files in a known order
  2. Pin a selection of Jump List items in a known order
  3. Open all of the files again in a known order.

Identify pinned entries.

No additional experimentation was required for this step as previous experiments had already included the action of pinning individual entries to various Jump Lists.

Determine how often a file has been accessed.

Although it had previously been noted by Ard (2007) that Jump Lists record the number of times that a file has been opened, no information was identified to indicate whether other types of file access are also counted. The experimentation at this stage was intended to address this knowledge deficit.

Due to time constraints associated with the original project, all further experimentation focused on the use of the applications Notepad and Microsoft Paint.

A number of steps were taken to investigate this aspect of Jump Lists;

  1. Two sample files (one picture and one text) were opened a total of five times each by navigating to them through Windows Explorer and a double left mouse click.
  2. The various context menu options (with and without the use of the Shift key) available for picture and text files were each used to perform a function, i.e Print.
  3. Shortcut files were created on the Desktop and used to open sample files.
  4. The various options within the application toolbars were each used to perform a function.
  5. Entries appearing in the Jump List were used to re-open files and the additional options available through a right mouse click on an entry were also selected in turn.
  6. Sample files were opened from the Command Prompt with commands such as ‘notepad D:\somefile.txt’.

Identify whether the date/time of file access is recorded.

It has been noted previously at Section 2 above that Carvey (2011) identified the presence of a ‘FILETIME’ object within the structure of an entry recorded in the ‘DestList’ element of a Jump List, although the purpose of this value was unknown. Analysis of changes to these byte sequences was performed on the various Jump List files which had been generated and updated as a result of the experiments conducted in order to determine the purpose of that object.

Establish any differences in how file accesses are recorded.

The various Jump List files generated throughout the testing phase were analysed in an effort to identify any differences in the way that certain actions are recorded.

Delete, move and rename Jump List target files.

Experimentation was conducted to investigate the impact of these types of user actions on the records within a Jump List. The experiments involved opening a number of sample files to generate an entry in a Jump List before testing the following actions;

  1. Moving the target within the same volume.
  2. Moving the target to a different volume.
  3. Deleting the target to the Recycle Bin.
  4. Deleting the target to the Recycle Bin and then deleting it from that location.
  5. Deleting the target, but bypassing the Recycle Bin by use of the Shift key.
  6. Renaming the target file on the original volume.

Install a known application to a non-default location.

The purpose of this experiment was to identify any differences in the value of the AppID generated by Windows 7 by installing an application to a non-standard location.

In this case, this was achieved by installing the program Irfanview to the path ‘C:\Irfanview’ instead of the default ‘C:\Program Files(x86)\Irfanview‘. Following the installation two sample picture files were opened.

Results and Observations

This Section provides a summary of the experimental results and observations made. For ease of reference the information is grouped into areas of interest.

Data present at first login.

The areas of the folder structure and the Windows Registry that are used to store data relevant to Jump Lists are created within a user account at the point that account first logs in.

A fresh install of Windows 7 resulted in the applications ‘Internet Explorer’, ‘Windows Explorer’ and ‘Windows Media Player’ being automatically pinned to the Taskbar without any user interaction as shown in Fig. 4 below.

Fig. 4 – Screen capture of Windows 7 Start Menu and Taskbar at first login

The directory ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar’ was found to contain three shortcut (.lnk) files relating to those three applications.

References to those pinned applications were also found in the Windows Registry values ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\Favorites and FavoritesResolve’.

The Windows Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’ did not exist at this stage.

It was found that irrespective of whether the system was configured to show hidden files and folders or not, the ‘AutomaticDestinations’ directory could not be seen when attempting to navigate to it through Windows Explorer.

If, however, the full path was typed into the address bar, then the contents of the directory could be seen. Navigating to it from a Command Prompt had no such problems. Further analysis using forensic software did not show the ‘AutomaticDestinations’ directory to have the ‘Hidden’ attribute set.

One Jump List, named ‘1b4dd67f29cb1962.automaticDestinations–ms’ exists within the ‘AutomaticDestinations’ directory at first login which contains four entries relating to the ‘Libraries’ available through Windows Explorer.

Jump List Configuration Settings

Changing the number of Jump List items to display using the ‘Customize Start Menu’ dialog box resulted in the creation of the Registry value ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems’.

Similarly, changing the number of recent programs to display resulted in the creation of a value named ‘Start_MinMFU’ in the same Registry key.

After deselecting the option to ‘Store and display recently opened items in the Start menu and the taskbar’ from the ‘Taskbar and Start Menu Properties’ dialog box, a new value entitled ‘Start_TrackDocs’ was created within the same Registry key. Additional experimentation identified that the data in this value is either ‘0’ when the feature is disabled or ‘1’ when enabled.

None of these values were present at first login.

Using regedit to alter the date in the Registry values resulted in immediate updates to the respective checkboxes in the ‘Customize Start Menu’ dialog box.

The installation path of a program is taken into account by the OS when AppIDs are automatically generated.

Whilst it was found that uninstalling a program removed traces of items pinned to the Start Menu and Taskbar, it was also found that Jump Lists relating to that application remained intact.

Accessing files

There are numerous options available to a user in respect of file manipulation through Windows Explorer, context menus, application file menus and Jump Lists themselves.

Testing revealed that providing a period of at least 30 seconds elapsed between repeated instances of opening the same file, a counter in the ‘DestList’ entry would increment by 1.

Accessing files in a serial manner, i.e. one after the other, resulted in entries being made in the Jump List irrespective of the amount of time elapsed between each access.

The FILETIME object only changed when a user action caused the entry access counter incremented.

The only actions that were found to cause such updates to the FILETIME object and the access counter were those that resulted in the content of the target file being made available to the user, i.e. displaying a picture file on screen or printing it.

Table 1 below shows only the various user actions which resulted in an update to the access count of a Jump List. It should be noted that the options ‘From Scanner or camera’ and Send in Email’ present in the file menu associated with Paint were not tested

Analysis of Jump List files in relation to live case work has shown that some applications including the Microsoft Office suite, Windows Explorer and Windows Media Player may record non whole numbers in the access count. The reason for this difference has not been identified and experimentation has failed to identify a method to replicate the issue.

Left/Right mouse button / Action
Paint
Left / Double click
Left / Link file
Right / Preview
Right / Set as background
Right / Edit
Right / Print
Right / Open With
Notepad
Left / Double click target
Left / Double click Link file
Right / Open
Right / Print
Right / Edit
Right / Open With
File Menu
Option / Jump List Updated / Remarks
Paint
Open / Paint + Explorer
Save / Paint + Explorer / Initial Save only
Save As / Paint + Explorer
Notepad
Open / Notepad + Explorer
Save / Notepad + Explorer / Initial Save only
Save As / Notepad + Explorer
Jump List Menu
Action/Option / Jump List Updated
Paint
Click Entry / Paint + Explorer
Edit / Paint + Explorer
Print / Paint + Explorer
Notepad
Click Entry / Notepad + Explorer
Open / Notepad + Explorer
Print / Notepad + Explorer

Table 1 – User actions resulting in access count update