tag:blogger.com,1999:blog-9518042.post1880086462087218870..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Jump List Analysis, pt IIUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-82012392975449217872011-08-24T11:45:37.954-05:002011-08-24T11:45:37.954-05:00Jimmy,
Troy pointed out that autodest files can c...Jimmy,<br /><br /><i>Troy pointed out that autodest files can contain numerous streams. </i><br /><br />The field that tracks the number of entries is 64-bits. The numbered streams don't need to be all that large (ie, length in bytes) but as you add more streams, the DestList stream gets larger.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66231076634430566492011-08-24T10:47:16.534-05:002011-08-24T10:47:16.534-05:00As far as carving autodest files or streams is con...As far as carving autodest files or streams is concerned, I'd be interested to see how and when they are deleted or purged. Troy pointed out that autodest files can contain numerous streams. I just happened to note that a stream is created even if the target file is not successfully opened. I found that when I was playing with SQLiteSpy. So, perhaps we should take care to state that a file was opened or the user <b>attempted</b> to open the file. That could come about, for example, in cases where the user employed the wrong app or accessed a corrupt file. <br /><br />I also found that streams were created for files accessed on a USB stick within the same app. Since you mentioned portable apps, SQLiteSpy is a stand-alone. AppID=ecd26b68da14752b.Jimmy_Wegnoreply@blogger.com