Microsoft Word Jump List Tidbit
Sunday, March 11, 2012
Performing examinations on the Windows 7 (and possibly 8) operating systems is going to become the norm. In anticipation of this occurring, I’m preparing myself by improving my processes, techniques, and knowledge about the artifacts found on these operating systems. One artifact others brought to my attention but I never tested until recently are Jump Lists (Harlan has an excellent write-up about Jumplist Analysis). I wanted to share a quick tidbit about Microsoft Word’s Jump List.
I knew Jump Lists were a new artifact in Windows 7 which contain information about a user’s activity on a system. I thought the user activity information would resemble something similar to link files showing what files were accessed as well as timestamps. I didn’t fully realize how much more information may be available about a user’s activity in Jump Lists until I started using Harlan’s jl.pl script included with WFA 3/e (my WFA 3/e five star review can be found here). I ran a simple test. Create a Word document and see what information jl.pl parses from Word’s Jump List located in the AutomaticDestinations folder. The following is a snippet from the output:
C:\Export\jumplist-research\AutomaticDestinations\adecfb853d77462a.automaticDestinations-ms
Thu Mar 8 02:20:50 2012 C:\fake-invoice.docx
Thu Mar 8 02:17:20 2012 C:\logo.png
Thu Mar 8 02:17:03 2012 C:\Users\test\AppData\Roaming\Microsoft\Templates
C:\Users\test\AppData\Roaming\Microsoft\Templates\TP030002465.dotx
Now let’s breakdown the output above. I identified the Microsoft Word 2007 Jump List (adecfb853d77462a.automaticDestinations-ms) using the list of Jump List Ids on the Forensic Wiki. The last entry shows I accessed a document called fake-invoice.docx at 02:20:50 on 03/08/2012. The other two entries contain information that was previously not available when examining link files. The second entry shows I used Microsoft Word to access an image called logo.png 30 seconds before accessing the fake-invoice.docx document. In addition, the third entry shows the first thing I accessed was a Microsoft Office template. The recorded activity in the Jump List shows exactly how I created the document. I first selected a template for an invoice and made a few changes. To make the invoice look real I imported a company’s image before I saved the document for the first time at 02:20:50.
When analyzing user activity prior to Windows 7 we could gather a lot of information about how a document was created. We could use the information to try to show how the document was created but it wasn’t like the play by play found in the Jump List. Microsoft Word records the files imported into a document and this information may be useful for certain types of cases. For me this information is going to be helpful on financial cases where templates are used to create fraudulent documents. Not every Jump List exhibits this behavior though. I tested something similar with PowerPoint and the following snippet shows what was in the Jump List.
C:\Export\jumplist-research\AutomaticDestinations\f5ac5390b9115fdb.automaticDestinations-ms
Thu Mar 8 02:31:03 2012 C:\Users\Public\Videos\Sample Videos
Thu Mar 8 02:30:32 2012 C:\Users\Public\Pictures\Sample Pictures
Thu Mar 8 02:27:46 2012 C:\Users\test\Desktop
C:\Users\test\Desktop\Presentation1.pptx
As the output shows, PowerPoint only records the objects imported down to the folder level. The entries don’t show the video and image’s filenames I added to the presentation. However, Microsoft Word records the filenames and this is something to be aware of going forward because it provides more information about what a user has been doing with the program.
Nothing ground breaking but just something I noticed while testing.
I knew Jump Lists were a new artifact in Windows 7 which contain information about a user’s activity on a system. I thought the user activity information would resemble something similar to link files showing what files were accessed as well as timestamps. I didn’t fully realize how much more information may be available about a user’s activity in Jump Lists until I started using Harlan’s jl.pl script included with WFA 3/e (my WFA 3/e five star review can be found here). I ran a simple test. Create a Word document and see what information jl.pl parses from Word’s Jump List located in the AutomaticDestinations folder. The following is a snippet from the output:
C:\Export\jumplist-research\AutomaticDestinations\adecfb853d77462a.automaticDestinations-ms
Thu Mar 8 02:20:50 2012 C:\fake-invoice.docx
Thu Mar 8 02:17:20 2012 C:\logo.png
Thu Mar 8 02:17:03 2012 C:\Users\test\AppData\Roaming\Microsoft\Templates
C:\Users\test\AppData\Roaming\Microsoft\Templates\TP030002465.dotx
Now let’s breakdown the output above. I identified the Microsoft Word 2007 Jump List (adecfb853d77462a.automaticDestinations-ms) using the list of Jump List Ids on the Forensic Wiki. The last entry shows I accessed a document called fake-invoice.docx at 02:20:50 on 03/08/2012. The other two entries contain information that was previously not available when examining link files. The second entry shows I used Microsoft Word to access an image called logo.png 30 seconds before accessing the fake-invoice.docx document. In addition, the third entry shows the first thing I accessed was a Microsoft Office template. The recorded activity in the Jump List shows exactly how I created the document. I first selected a template for an invoice and made a few changes. To make the invoice look real I imported a company’s image before I saved the document for the first time at 02:20:50.
When analyzing user activity prior to Windows 7 we could gather a lot of information about how a document was created. We could use the information to try to show how the document was created but it wasn’t like the play by play found in the Jump List. Microsoft Word records the files imported into a document and this information may be useful for certain types of cases. For me this information is going to be helpful on financial cases where templates are used to create fraudulent documents. Not every Jump List exhibits this behavior though. I tested something similar with PowerPoint and the following snippet shows what was in the Jump List.
C:\Export\jumplist-research\AutomaticDestinations\f5ac5390b9115fdb.automaticDestinations-ms
Thu Mar 8 02:31:03 2012 C:\Users\Public\Videos\Sample Videos
Thu Mar 8 02:30:32 2012 C:\Users\Public\Pictures\Sample Pictures
Thu Mar 8 02:27:46 2012 C:\Users\test\Desktop
C:\Users\test\Desktop\Presentation1.pptx
As the output shows, PowerPoint only records the objects imported down to the folder level. The entries don’t show the video and image’s filenames I added to the presentation. However, Microsoft Word records the filenames and this is something to be aware of going forward because it provides more information about what a user has been doing with the program.
Nothing ground breaking but just something I noticed while testing.
Great post, Corey, thanks for sharing.
While this illustrates the "first I did it, and then I analyzed it" approach, it does show the possibilities of what can be achieved. Stuff like this doesn't have to be ground breaking...if it opens an analyst's eyes to what might be possible within the data that they're looking at, it's valuable.
What does that look like in a timeline?
Harlan,
Good point and great question. I came across this as I was setting up a fake case for a presentation. I only created a manual timeline showing how the information appears with a few other artifacts. The timeline is in the slide deck I'm posting either tomorrow or Wed.
Since you mentioned it I'm curious how a system timeline would look though. My manual timeline only shows certain artifacts but it excludes alot (filesystem, iehistory, etc..). I'll try to put one together showing how Jump Lists look in a system timeline. Hopefully I can get it finished by next week.
Harlan.
The "first I did it, and then I analyzed it" approach is something I think should be used a lot more than it is today.
There are too many analysts out there that just make their analyses using the "click 'n. Run" method and taking the output from some obscure programme downloaded from the net.
In my eyes you should always test the output via the "first I did it, and then I analyzed it" method... Thats the only way you can be 100% certain of the output..
I think I'm missing something. I understand the flow of the items found in the MS Word Jump List, but I fail to see how the listing tells the examiner what was action was taken. How do you discern that a photo was inserted, that the "final" invoice was saved. I realize that other forensic evidence, like the metadata of the items in question, can be used to establish a theoretical order of actions, but the blog implies this can be seen from directly reviewing the Jump List entries, and I don't see that as being the case. Please enlighten me.
@CyForensics
I ran a test. Open a new document, pick a template, import an image, and then save the document. I compared my actions to what I found in the jump list. That's how I knew the order of the actions.
If I didn't know the order of actions then I would try to correlate the info in the jump list with other information on the system. File system, document metadata, document content, etc.. It would help to explain the actions taken on the system. The correlation may be a little more clear in my Volume Shadow Copy Timelines post I'm putting up within the next few days. It shows all the info in a timeline and helps show how a document was created.
Did this answer your question?
I guess my point is that if you just open the png image after you had opened the MS Word document without inserting the image into the document, it would seem (untested of course) that the jump list would be EXACTLY the same as if you opened the png image after you had opened the MS Word document and DID insert the image into the document. Therefore, the jump list would only tell you the png image had been accessed by the user following the opening of the MS Word document. Whether the image was inserted into the document, not inserted, copied elsewhere, or whatever is NOT determinable from the jump list alone.
I reread my original post and realize I moved the focus to the ORDER of the actions. My interest is not in the ORDER of the actions but in WHAT actions took place. I think the only way to know the WHAT aspect of the actions represented by the jump list entries is to either have prior knowledge (such as the tester knowing what actions he/she took during the test) or comparing the jump list entries to the other forensic data on the computer.
My apologies for the misdirection. Thanks for writing this blog. Excellent information.
@CyForensics
> untested of course
I'm assuming you didn't test the scenario to see if you get the results you expected?
> EXACTLY the same as if you opened the png image
Jump lists are application specific which means the information in one application's jump list may not reflect what is in another. I mention this because the scenario you laid out involves different applications. One being Word to open a document and another program to view the image. As a result Word's jump list will look drastically different from what you described and an image geting imported. See my tests below.
> the jump list would only tell you the png image had been accessed by the user
The link files on the system show a user accessed a document before accessing an image. However, Microsoft Word's jump list shows it was used to access the image. To demostrate I ran another test. I listed the tests below and highlighted what was in Word's jump list
1. opened document with Word and opened image with Windows photo viewer <- Word jump list showed the program only accessed document
2. opened document with Word, opened image with Windows photo viewer, copied image, and pasted into Word <- Word jump list showed the program only accessed document
3. opened document with Word and imported image into Word <- Word jump list showed program accessed document and image
As the tests show, the jump list where an image was imported reference the picture while the scenario you laid out didn't. Also, even copying an image into Word doesn't isn't referenced in the list
> is NOT determinable from the jump list alone
The only action I can do with Word to get a specific image to appear in its jump lists is to import the image into Word. The behavior you describe reflects what can be determined with link files (user accessed document followed by accessing an image). Word's jump list provides additional information and so far an image appearing is reflective of an import.
> My interest is not in the ORDER of the actions but in WHAT actions took place.
Understood but I think your second post brought the focus back to the actions
> I think the only way to know the WHAT aspect .....
I disagree. Testing can reveal how something behaves and knowing how something behaves helps you explain the information you see on a system. For example, I did extensive testing on how numerous actions against a Word/Excel documents alters their metadata. I can now examine metadata and say with confidence what actions in my testing would result in that metadata. i.e. a print date prior to a create date or create date and modified date being the same. In my testing with jump lists the only action I found so far for an image to appear in a Word jump list is for it to be imported (viewing it in another app or copying the image has no effect). Without testing I would only be guessing what actions occured but with testing I can reference what actions result in the data I'm seeing.
> comparing the jump list entries to the other forensic data on the computer
Agreed, I wouldn't make a conclusion based on one artifact. I would find other information to collaborate what I'm seeing. If the jump list showed an image and I found the image and it looked exactly like the one inside the Word document then that would strengthen the image may have been imported. Other information on the system could provide additional context about what occured.
> My apologies for the misdirection.
No need to apologize
> Thanks for writing this blog. Excellent information
Thanks for reading and the discussion.
Thank you for enlightening me. Obviously, I failed to correctly comprehend the nature of Jump Lists and the data they contain. I have a much clearer understanding now, and I will research further from here.
I wasn't keeping the "application specificness" of the Jump List in mind. Thanks for setting me straight.
I have recently written an article based on my recent thesis 'An Assessment of the Forensic Value of Windows 7 Jump Lists' that highlights the more important results of that research which can be found at http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
I thought you might like to read it as it seems to be an area of interest for you.
Kind regards,
Rob Lyness
@Rob,
Thanks for the link to your article. I will check it out tomorrow.