Friday, December 30, 2011

Jump List Parser Code Posted

As a follow-up to my recent Jump List Analysis blog post, I've posted the Jump List parser code that I've been talking about.

Again, this isn't a Windows GUI program.  The code consists of two Perl modules that I wrote (and I'm not an expert in either Perl OO programming or writing Perl modules...), and the available archive contains a couple of of example scripts that demonstrate simple uses of the modules. 

I wrote these modules in order to provide maximum flexibility to the analyst.  For example, I use a five-field timeline (TLN) format for a good bit of my analysis, and that's not something I can get from available tools...not without manually exporting the contents of those tools and writing a separate parser.  Also, I know some folks who really love to use SQLite databases (MarkMcKinnon), so providing the code in this manner allows those analysts to write scripts using the Perl DBI to access those databases.

Also, I know that analysts like Corey Harrell will be itching to rip previous versions of Jump List files from VSCs.  As such, scripts can be written to parse just the DestList streams out of previous versions of the *.automaticDestinations-ms Jump List files and correlate that data.

The archive also contains a user guide that I wrote that explains not only the modules but how to use them and what data they can provide to you.

As a side note, I ran the lnk.pl script provided in the archive through Perl2Exe to create a simple, standalone Windows EXE file, and then ran it against the same target file (a shortcut in my own Recent folder) that I had tested the Perl script on, and it worked like a champ.

Once again, I am not an expert.  These modules should be fairly stable, and I wouldn't expect them to crash your box.  However, they are provided as-is, with no warranties or guarantees as to their function. Also, the code uses only core Perl functions and parses the target structures on a binary level, so it's entirely possible that I may have missed a structure or parsed something improperly.  If you find something amiss, I'd greatly appreciate you letting me know, and providing some sample data so that I can replicate and address the issue.

That being said, I hope that folks find this code to be useful.

3 comments:

Tara J. said...

I went looking for the posted code, but it doesn't seem to be in the Google Code repository. Was it taken down?

-Tara

Tara J. said...

I went looking for the posted code, but it doesn't seem to be in the Google Code repository. Was it taken down?

-Tara

Keydet89 said...

Tara,

I took the code down...is this something you need? Contact me at keydet89 at yahoo dot com...