Case studyUsing jump lists to identify fraudulent documents
Section snippets
Creation of a fraudulent document and its forensic investigation
In Fig. 1, a fraudulent purchase order has been created by Larry Smith, Controller.5 Larry had authority to clear the purchase order through payables and ensure it would be paid.
The Jumplister
In order to further identify Larry's activities on his work computer, it is necessary to find the hidden artifacts in his Windows 7 jump list. The dates on the original file within the artifacts do not change and thus provide solid forensic evidence of the actual date the file was created and when it was last accessed. In addition, the artifacts show the exact trail that Larry used to create the fraudulent purchase order. The format of these jump list files need to be cleaned up or “parsed” as
Summary
The case presented here was a financial fraud, but jump list artifacts recorded within Windows 7 extend beyond the creation of fraudulent purchase invoices. In each of those instances, the initial use of JumpLister can increase the likelihood of quickly identifying the perpetrators of fraudulent or destructive acts. JumpLister is one method to identify forensic information without a great deal of difficulty and without forensically damaging electronic evidence. Such digital evidence remains
References (7)
- Barnett, A. The forensic value of the Windows 7 jump list, <http://www.alexbarnett.com/jumplistforensics.pdf>; no date...
Jump list analysis
(2011)Microsoft word jump list tidbit
(2012)
Cited by (5)
Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability
2018, Computers and SecurityCitation Excerpt :The authors suggests that further research can be focused on timeline development based on the information extracted from Jump List data files. Further, Smith (2013) used Jump Lists for as a source for detection of fraudulent documents created on a Windows system. The author said that the information recorded in Jump List data files can be used to reveal the forensic evidence in financial fraud cases, as these files contain the complete trail of file opening and creation activities.
A forensic insight into Windows 10 Jump Lists
2016, Digital InvestigationCitation Excerpt :Lallie and Bains (2012) presented the structure of Jump Lists in Windows 7. Smith (2013) described a methodology to identify fraudulent documents using Jump Lists. There are many tools (Woan, 2013; MiTec, 2010; NirSoft, 2013; TZWorks, 2013) available to parse and view Jump Lists in Windows 7 and Windows 8, but none of them could successfully parse Jump Lists in Windows 10 as few fields in DestList stream are modified or added in Windows 10.
A visualization jump lists tool for digital forensics of windows
2020, KSII Transactions on Internet and Information SystemsRecovery of forensic artifacts from deleted jump lists
2018, IFIP Advances in Information and Communication TechnologyDigital forensic artifacts of the cortana device search cache on windows 10 desktop
2016, Proceedings - 2016 11th International Conference on Availability, Reliability and Security, ARES 2016