As has been previously noted, the BlackBag blog team is composed of several ex-law enforcement professionals with a dedication to sharing their knowledge with fellow investigators. For this entry, we would like to turn things over to one of our experienced forensic analysts and allow him to discuss a few types of Windows-specific artifacts that have proven particularly useful in examinations.
Jump lists can serve multiple purposes, the most notable of which is to contain a list of recently opened documents/files. For example, a jump list associated with Windows Media Player will contain entries for files that have recently been opened using the Windows Media Player application.
The majority of the examinations I deal with on a day-to-day basis involve videos of a contraband nature. During one such examination a user was denying that he had ever viewed a specific video file. It can often be difficult to determine whether or not a user actually has viewed a specific file. Therefore, for this particular examination, the importance of reviewing jump lists came into play. By reviewing the jump list associated with Windows Media Player on the user's system, not only was I able to show that the user had viewed the file, but I was also able to give a date and time that the file was viewed.
In the past, parsing a jump list so that it was displayed in a readable format required a third party tool. But with BlackLight, jump list files can now be quite easily reviewed within the single analysis tool. This screenshot example shows just how straightforward the process is.
Jump lists created for specific applications are displayed in the left pane. Select a jump list, and the link files that reside within that particular jump list are displayed in the right pane. Choose a file in the right pane and select the Preview button in the 'File Content Viewer' to view information relating to the file. From the 'File Content Viewer,' individual rows shown in the 'Preview' view can be tagged for reporting purposes.
Link (.lnk) Files
Much like a jump list entry, a link file can potentially signify that a specific file of interest was opened by a user. This is possible due to the fact that, by default, Windows will create link files for files that have been recently opened. A link file is essentially a shortcut to the target file that was opened. Once a link file is created, the MAC dates/times will signify when that link file was opened. If opened a subsequent time, the modified timestamp will update to the most recent date/time it was opened. In many cases, the examiner reviews notable picture files in an attempt to determine whether or not those picture files have been opened by a user. The fact that a link file exists for a file, with the filename of the target file, and at the same location as the target file but with different created and modified dates, will go a long way in driving home the fact that a user viewed that specific file at least two times.
With BlackLight, examiners are now able to view link files found on media by navigating to the 'Actionable Intel' view, selecting the File Knowledge tab, and choosing the Link Files radio button.
This BlackLight feature makes examinations more manageable by displaying link files in an easily readable format. There is no longer a need to search in various locations for link files when they can simply be reviewed all in one location and sorted by field.
In your next examination, it may be extremely important to show that a particular file was opened, and jump lists and link files are often crucial means to make such a determination. Now that BlackLight has the capability of parsing jump lists and link files, shedding light on certain user activity has became even easier.