Jumplist and File copy
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
I did not know about the artifacts in the Jumplist mentioned below.
http://www.hecfblog.com/2018/07/daily-blog-426-directory-copy-and-paste.html
So new as of at least Windows 10 (this needs to be tested on Windows 7 and Windows 8) there is a now a jumplist that is capturing the full path of every directory that is copy and pasted.
Let's try it.
The copy source folder C:\Pictures has three JPEG image files.
Delete all files in AutomaticDestinations folder.
Using Explorer, copy the C:\Picture folder to E:\.
When you execute copy, you can see that two files were created.
I refer to these contents by using JumpListExplorer. (I took a copy and confirmed it later.)
f01b4d95cf55d32a.automaticDestinations-ms has no related information.
5f7b5f1e01b83767.automaticDestinations-ms contains information on the C:\Pictures folder.
I deleted the file and then operated it, but I noticed that it contains the data before deleting it.
Paste the C:\Pictures folder into E:\.
Check the contents of the JumpList file. Records of the E:\Pictures folder have been added to f01b4d95cf55d32a.automaticDestinations-ms.
5f7b5f1e01b83767.automaticDestinations-ms There is no change in the contents of the file.
Open Example2.jpg under the E:\Pictures folder.
How will JumpList change?
f01b4d95cf55d32a.automaticDestinations-ms
5f7b5f1e01b83767.automaticDestinations-ms
The record of Example 2.jpg was added to the 5f7b5f1e01b83767.automaticDestinations-ms file.
It's an interesting file.
HM, I feel that I need to do a bit more testing.
<2018/07/31 add>
Look at the mru time of the entry versus the creation time of the directory
— David Cowen (@HECFBlog) July 30, 2018
</add>
ps
Unfortunately I am not familiar with content that Google Translate can not use.
That is why I appreciate being posted on the blog.
Reference URL:
https://www.syntricate.com/files/computer-forensics/WINDOWS%2010%20ARTIFACT%20LIST.pdf
