@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Jumplist and Clear File Explorer history

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Hop Step Jumplist.

Display file 5f7b5f1e01b83767.automaticDestinations-ms with HEX.
Only 'DestList' exists in this file.

f:id:hideakii:20180805162651p:plain

I started explorer and I looked up 4 image files with E: drive.

f:id:hideakii:20180805162911p:plain

Check the contents of the JumpList file. Four records that refer to the image file are displayed.

f:id:hideakii:20180805164519p:plain

Delete the history of Explorer.

f:id:hideakii:20180805163906p:plain

Check the contents of the JumpList file. Four records in JumpList have disappeared.

f:id:hideakii:20180805165432p:plain

However, stream data seems to remain in the JumpList file. I have studied the structure of automaticdestinations in past blog.

f:id:hideakii:20180805165732p:plain

Save the range of LNK data as binary and try to parse with LEcmd.

f:id:hideakii:20180805172629p:plain

Carving the Jump List file using Bulk_Extractor 'winlnk' option.

f:id:hideakii:20180805170023p:plain

Two records indicating the JPGE file name have been reported.

f:id:hideakii:20180805171006p:plain

I try Carving by PhotoRec. Change PhotoRec options.

f:id:hideakii:20180805201447p:plain

For geometry options, set the sector size to 1.

f:id:hideakii:20180805201638p:plain

In File Opt setting, only lnk is selected.

f:id:hideakii:20180805201818p:plain

Three files were extracted.

f:id:hideakii:20180805202003p:plain

Validate the restored LNK file.

f:id:hideakii:20180805202432p:plain

File f0003776.lnk is broken, but you can check the link destination.

f:id:hideakii:20180805202920p:plain

Testing environment:Windows 10 1803

Reference URL:

www.hecfblog.com

port139.hatenablog.com

http://www.mitec.cz/ssv.html

articles.forensicfocus.com

f:id:hideakii:20180805155622p:plain