•  
  •  
 

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

The introduction of Jumplists in Windows 7 was an important feature from a forensic examiners viewpoint. Jumplist configuration files can provide the examiner with a wealth of information relating to file access and in particular: dates/times, Volume GUIDs and unique file object IDs relating to those files. Some of the information in the Jumplist could be used to build a more precise timeline relating to system and file usage. In this article, we analyse the structure of a Jumplist configuration file and in particular a record from a Jumplist configuration file and highlight some of the important entries therein.

References

Andersson, A., & Ottmann, T. (1991). Faster uniquely represented dictionaries. Paper presented at the Foundations of Computer Science.

Brönnimann, H., Cazals, F., & Durand, M. (2003). Randomized Jumplists: A Jump-and-Walk Dictionary Data Structure Lecture Notes in Computer Science, 2607/2003, 283-294.

Hedgehog. (2011). JumpList Launcher. Retrieved 18 April 2011, from http://en.www.ali.dj/jumplist-launcher/ MSDN. (2011a). Taskbar Extensions. Retrieved 18 April 2011, from http://msdn.microsoft.com/de-de/library/dd378460(vs.85).aspx#jump_lists

MSDN. (2011b). SHAddToRecentDocs Function. Retrieved 12 April 2011, from http://msdn.microsoft.com/en-us/library/bb762105(v=vs.85).aspx

Ottman, T. (1991). Trees — a personal view Lecture Notes in Computer Science, 555/1991, 243-255.

Regdat. (2011). Jumplist Backup Restore. Retrieved 12 April 2011, from http://www.regdat.com/

Smulikowski, P. (2009). First Look at the Windows 7 Forensics - Forensic implications of the new Windows 7. University of Strathclyde, Strathclyde.

Wilson, C. (2005). Volume Serial Numbers and Format Date/Time Verification. Retrieved 18 April 2011, from http://www.digitaldetective.co.uk/documents/Volume%20Serial%20Numbers.pdf

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.