• DFIR Resources
  • A New Method to Scrutinize a Windows Jump List from Portable Applications

A New Method to Scrutinize a Windows Jump List from Portable Applications

Hot
198 1

DFIR Resources

Analysis - Devices & OSs
Jumplist
The examination and usage of Jump Lists
structure of Windows 7 has attracted forensic and
investigation application for capturing the user activity on a
system. However, the observation of the Jump Lists by
portable application is very limited. This paper proposed a
new methodology to scrutinize the behavior of Windows
Jump List (WJL) by opening and editing a system’s local file
on executing portable applications. The experiment included
the creation of Windows 7 and later versions, using Virtual
Machine and installation of Portable Office Editor on
Removable device. These portable applications included
“JartePortable” and “FocusWriterPortable” for opening and
editing a .docx file respectively, and “PDFXchangeViewerPortable”
for opening / editing a .pdf file
residing on local system. Additionally, this approach notifies
the impact of opening a local file from removable device on
associated application’s WJL and it has significant
importance in an anti-forensic scenario where a user tries to
modify a system’s local files through a portable application.
Experiments show successfully on several artifacts, that holds
information on Jump Lists, including; Jump List entry, MAC
Timestamp, File size and Entry Modified Timestamp. The
results show that a user can bypass the Windows Jump lists
by accessing system’s local files through portable applications
from removable external storage device.

Attachments

  • File Description
    File Size
    File Type
    Downloads
  • A_New_Method_to_Scrutinize_a_Windows_Jum
    1 MB
    4

User comments

There are no user comments for this listing.
Already have an account? or Create an account