Abstract
Jump lists, which were introduced in the Windows 7 desktop operating system, have attracted the interest of researchers and practitioners in the digital forensics community. The structure and forensic implications of jump lists have been explored widely. However, little attention has focused on anti-forensic activities such as jump list evidence modification and deletion. This chapter proposes a new methodology for identifying deleted entries in the Windows 10 AutoDest type of jump list files and recovering the deleted entries. The proposed methodology is best suited to scenarios where users intentionally delete jump list entries to hide evidence related to their activities. The chapter also examines how jump lists are impacted when software applications are installed and when the associated files are accessed by external storage devices. In particular, artifacts related to file access, such as the lists of most recently used and most frequently used files, file modification, access and creation timestamps, names of applications used to access files, file paths, volume names and serial numbers from where the files were accessed, can be recovered even after entries are removed from the jump lists and the software applications are uninstalled. The results demonstrate that the analysis of jump lists is immensely helpful in constructing the timelines of user activities on Windows 10 systems.
Chapter PDF
Similar content being viewed by others
References
A. Barnett, The forensic value of the Windows 7 jump list, in Digital Forensics and Cyber Crime, P. Gladyshev and M. Rogers (Eds.), Springer, Berlin-Heidelberg, Germany, pp. 197–210, 2011.
Hexacorn, Jump list file names and AppID calculator, Hong Kong, China (www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator), 2013.
H. Lallie and P. Bains, An overview of the jump list configuration file in Windows 7, Journal of Digital Forensics, Security and Law, vol. 7(1), pp. 15–28, 2012.
T. Larson, Forensic Examination of Windows 7 Jump Lists, LinkedIn SlideShare (www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public), June 6, 2011.
R. Lyness, Forensic Analysis of Windows 7 Jump Lists, Forensic Focus (articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists), October 30, 2012.
M. McKinnon, List of Jump List IDs, ForensicsWiki (www.forensicswiki.org/wiki/List_of_Jump_List_IDs), December 19, 2017.
Microsoft Developer Network, [MS-CFB]: Compound File Binary File Format, Microsoft, Redmond, Washington (msdn.microsoft.com/en-us/library/dd942138.aspx), 2018.
NetMarketshare, Operating system market share (www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0), 2018.
D. Pullega, Jump List Forensics: AppIDs, Part 1, 4n6k (www.4n6k.com/2011/09/jump-list-forensics-appids-part-1.html), September 7, 2011.
B. Singh and U. Singh, A forensic insight into Windows 10 jump lists, Digital Investigation, vol. 17, pp. 1–13, 2016.
B. Singh and U. Singh, A forensic insight into Windows 10 Cortana search, Computers and Security, vol. 66, pp. 142–154, 2017.
B. Singh and U. Singh, Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability, Computers and Security, vol. 74, pp. 94–114, 2018.
G. Smith, Using jump lists to identify fraudulent documents, Digital Investigation, vol. 9(3-4), pp. 193–199, 2013.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Singh, B., Singh, U., Sharma, P., Nath, R. (2018). Recovery of Forensic Artifacts from Deleted Jump Lists. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)