Using jump lists to identify fraudulent documents

doi:10.1016/j.diin.2012.11.002

Digital Investigation

Volume 9, Issues 3–4, February 2013, Pages 193-199

https://doi.org/10.1016/j.diin.2012.11.002 Get rights and content

Abstract

Jump lists show the file opening activity of a computer user. When a computer user wants to know the most recent file they opened, a jump list can provide that information. Windows 7 displays jump lists for recently used files, but more importantly for investigators, it also records hidden jump list artifacts. These hidden jump list artifacts reveal the complete trail a fraudster follows in creating fraudulent documents or to perform other illegal activities when using their computers. Such jump list artifacts can remain on the computer's drives for years. The paper describes a method that can be used to identify artifacts and their potential for use as forensic evidence in a financial fraud case.

Section snippets

Creation of a fraudulent document and its forensic investigation

In Fig. 1, a fraudulent purchase order has been created by Larry Smith, Controller.⁵ Larry had authority to clear the purchase order through payables and ensure it would be paid.

The Jumplister

In order to further identify Larry's activities on his work computer, it is necessary to find the hidden artifacts in his Windows 7 jump list. The dates on the original file within the artifacts do not change and thus provide solid forensic evidence of the actual date the file was created and when it was last accessed. In addition, the artifacts show the exact trail that Larry used to create the fraudulent purchase order. The format of these jump list files need to be cleaned up or “parsed” as

Summary

The case presented here was a financial fraud, but jump list artifacts recorded within Windows 7 extend beyond the creation of fraudulent purchase invoices. In each of those instances, the initial use of JumpLister can increase the likelihood of quickly identifying the perpetrators of fraudulent or destructive acts. JumpLister is one method to identify forensic information without a great deal of difficulty and without forensically damaging electronic evidence. Such digital evidence remains

References (7)

Barnett, A. The forensic value of the Windows 7 jump list, <http://www.alexbarnett.com/jumplistforensics.pdf>; no date...
H. Carvey
Jump list analysis
(2011)
C. Harrell
Microsoft word jump list tidbit
(2012)

There are more references available in the full text version of this article.

Cited by (5)

Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability
2018, Computers and Security
Citation Excerpt :
The authors suggests that further research can be focused on timeline development based on the information extracted from Jump List data files. Further, Smith (2013) used Jump Lists for as a source for detection of fraudulent documents created on a Windows system. The author said that the information recorded in Jump List data files can be used to reveal the forensic evidence in financial fraud cases, as these files contain the complete trail of file opening and creation activities.
Nowadays, perpetrators of the crimes are more forensic-aware than ever and take preventive measures to limit or delete the program execution artifacts. Also, analysts are mostly confronted with the computer systems infected with evil programs (for example, malware and ransomware) that are designed to remain hidden whilst running and erase the traces of their executions. Program execution analysis is very meaningful effort to unravel the Indicators of Compromise (IOCs) on an infected system and detect anti-forensic tools used to complicate the investigations. The sources of program executions being created and stored are rising in newer Windows systems, however, to analyze one source in isolation would uncover only a piece of information. Thus, there is a need to take different sources of program executions into account as a whole for comprehensive examination of the digital incident, and a study of forensic capabilities of these artifacts in a comparative manner is needed. To fill the gap, this study considers eleven sources of program executions: Prefetch, Jump Lists, Shortcut (LNK), UserAssist, Amcache.hve, IconCache.db, AppCompatFlags, AppCompatCache, RunMRU, MuiCache and SRUDB.dat, and investigates the effects of running various types of applications (for example, host-based executables, package applications, portable application, and Windows Store Apps) on these artifacts in a Windows 10 Pro client system. The effects of running five popular anti-forensic tools (for example, privacy cleaners) are also observed and a comparison of scrubbing capabilities of these tools is presented. In addition, the study also discusses the forensic significance of examining the considered program execution artifacts. The study will have direct implications on the forensic or malware investigations involving program execution analysis as a subject of interest.
A forensic insight into Windows 10 Jump Lists
2016, Digital Investigation
Citation Excerpt :
Lallie and Bains (2012) presented the structure of Jump Lists in Windows 7. Smith (2013) described a methodology to identify fraudulent documents using Jump Lists. There are many tools (Woan, 2013; MiTec, 2010; NirSoft, 2013; TZWorks, 2013) available to parse and view Jump Lists in Windows 7 and Windows 8, but none of them could successfully parse Jump Lists in Windows 10 as few fields in DestList stream are modified or added in Windows 10.
The records maintained by Jump Lists have the potential to provide a rich source of evidence about users’ historic activity to the forensic investigator. The structure and artifacts recorded by Jump Lists have been widely discussed in various forensic communities since its debut in Microsoft Windows 7. However, this feature has more capabilities to reveal evidence in Windows 10, due to its modified structure. There is no literature published on the structure of Jump Lists in Windows 10 and the tools that can successfully parse the Jump Lists in Windows 7/8, do not work properly for Windows 10. In this paper, we have identified the structure of Jump Lists in Windows 10 and compared it with Windows 7/8. Further, a proof-of-concept tool called JumpListExt (Jump List Extractor) is developed on the basis of identified structure that can parse Jump Lists in Windows 10, individually as well as collectively. Several experiments were conducted to detect anti-forensic attempts like evidence destruction, evidence modification and evidence forging carried out on the records of Jump Lists. Furthermore, we demonstrated the type of artifacts recorded by Jump Lists of four popular web browsers with normal and private browsing mode. Finally, the forensic capability of Jump Lists in Windows 10 is demonstrated in terms of activity timeline constructed over a period of time using Jump Lists.
A visualization jump lists tool for digital forensics of windows
2020, KSII Transactions on Internet and Information Systems
Recovery of forensic artifacts from deleted jump lists
2018, IFIP Advances in Information and Communication Technology
Digital forensic artifacts of the cortana device search cache on windows 10 desktop
2016, Proceedings - 2016 11th International Conference on Availability, Reliability and Security, ARES 2016

View full text

Case studyUsing jump lists to identify fraudulent documents

Abstract

Section snippets

Creation of a fraudulent document and its forensic investigation

The Jumplister

Summary

Jump list analysis

Microsoft word jump list tidbit

Case study
Using jump lists to identify fraudulent documents