Hi All,
Does anyone know whether X-Wys 18.8 when parsing jumplists from Win 10 decodes application type by default and if yes, where can I find it? Or do I have to go on-line to decode it?
Also i have tried to use Jumplister v 1.1.0 but this does not seem to parse properly jumpists from Win 10.
So if both above are NO
Do you have any good program/methodology that I can apply to parse Jumplists from Windows 10?
If NOT, have anyone had this App ID? = fc866c38e3681848 Automatic Desitnations - it looks like a player to me but not sure which one.
So far I have checked IEF, Jumplister and on-line - nothing matching this ID. Is there any calc that can parse it?
If NOT, have anyone had this App ID? = fc866c38e3681848 Automatic Desitnations - it looks like a player to me but not sure which one.
So far I have checked IEF, Jumplister and on-line - nothing matching this ID. Is there any calc that can parse it?
Do you have the actual file/stream?
Can you have a look at it in a hex viewer/editor (or maybe in a .lnk fileparser)?
Like
http//
The format is documented, see;
http//
and
http//
(via google web cache)
http//
Unless of course the stupid Windows 10 has changed format. ?
Check also this
http//
(useful for verification)
jaclaz
I discussed briefly here http//www.forensicfocus.com/Forums/viewtopic/t=12527/ that the structure of the JumpLists in Windows 10 had changed slightly.
Although I haven't followed up in earnest, I have seen Windows 10 machines with JumpLists using both the old and new structure.
Jaclaz
Thanks for your suggestions, I have the entire Jumplist intact but by browsing through .lnk orphans could you not find any signs of any .exe - is this what you asked for?
I have tried JumpListView v1.04 but again it did not pull out what is the app name.
I have checked Hexacorn already, no such application yet - and as far as I understand the calc utility- this is to ascertain wether this is the one but from The APP to APP ID- NOT other way round.
So I think that the plan now is to run machine in VM, see it what movie app it is. Hopefully it is still there and it is still associated with video files I am after and then use this calc.
Use Eric Zimmermans jump list tool, as it can handle Win10, then you can work out the associated app
http//
I haven't updated Jumplister since 2013, and as Eric has written newer tools that cover the same areas, I would use his in the first instance. Especially as he tends to review the current assumptions/research when writing new tools.
Also can you look at any prefetch files to see what applications have been run, then use the application paths from those with the AppID Calculator?
I did some googling and looked at various lists of AppID's
https://
https://
http//
And none had that particular ID. I did find one reference to the ID
http//
But the reference did not give any clues as to the originating app.
Woanny
Thanks - but again I have run this with ld & fd and App ID= Unknown
But the output is much better that from JumpListView v 1.04. File path, dates/times and locations are nicely displayed - so, much appreciated Woanny
I guess chaps from Microsoft may know.
If anyone knows email address to someone form M , please PM me.
Thx
Are there are prefetch files available?
Woany
Yes - they are avail, why?
Because if you can see what applications have been run, you can take the application exe path and use the path with the AppID calculator, if you get a match, then you have found the application that created that particular Jump List value
http//
Jaclaz
Thanks for your suggestions, I have the entire Jumplist intact but by browsing through .lnk orphans could you not find any signs of any .exe - is this what you asked for?
No, I was asking, if you open that file in a hex viewer/editor what do you see at offset 0x72 (114 decimal) <- typical Windows 7/8/8.1
or at offset 0x82 (130 decimal) <- typical of the new format (thanks ssenyl)
That would be the path of the file used, if that file is available, than the file type/format and the modification/access times may help you to find the .exe that was used to open it.
As an example (very simplified), you find there
C\my_nice_files\my_interesting.pdf
On the system there might be a number of (lesser known) tools/programs that can open .pdf files.
If you look for those executable, you may find two of them (through prefetch, or checking file associations in the Registry, etc.)
C\Program files\unknownPDF\pdfreader.exe
C\downloaded\tools\lesserknown\whattheheckpdf.exe
If you try calculating the app id's for those, you may find that the app id is the correct one.
jaclaz