tag:blogger.com,1999:blog-9518042.post2043755829738035055..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Jump List Analysis, Pt IIIUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-9518042.post-86780440756864350792013-04-30T15:44:01.681-05:002013-04-30T15:44:01.681-05:00If you haven't looked at @Hexacorn's blog ...If you haven't looked at @Hexacorn's blog post on AppID and Jumplist filename calculation, be sure to look at it. It sheds light on the way AppIDs are calculated; the exact issue we were discussing here a while back.<br /><br />http://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-24215842108694317612011-09-09T16:49:58.204-05:002011-09-09T16:49:58.204-05:00@Jamie:
...you can programically try variations o...@Jamie:<br /><br /><i>...you can programically try variations on the application name, versions, path etc until you create a hash that matches the AppID. </i><br /><br />This is very true and certainly makes sense. I wrote a little about how one could manually compare the AppIDs, but it's a very roundabout way of finding a match. Once the algorithm is discovered, automation of this process would be a viable option -- subsequently easing the pain of doing a manual, one-by-one check.<br /><br />I totally agree with you that finding out how these AppIDs are calculated would be a discovery of great value. Thanks for the insight on this; it's great to see this issue from many different angles.<br /><br />-DanAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55142999039097235492011-09-09T10:54:29.216-05:002011-09-09T10:54:29.216-05:00Anonymous,
Just decided to add an equally insulti...Anonymous,<br /><br /><i>Just decided to add an equally insulting comment...</i><br /><br />How as my comment insulting? I have great respect for the work that Andrew did. I guess you can make anything sound the way you like.<br /><br />How about providing your name?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37211821664201342562011-09-09T10:27:43.119-05:002011-09-09T10:27:43.119-05:00Nope, nothing wrong with saying it again. Just de...Nope, nothing wrong with saying it again. Just decided to add an equally insulting comment about your research as you made about Registry Decoder on your email list. It was a parody of your earlier comment to Andrew Case: <br /><br /><i> "Not taking anything away from Andrew's efforts (much applause to him) but this capability has been available through other means for some time. For example, installing the Parse::Win32Registry module adds the regdiff.pl script to your installation."</i>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-84236301019338200822011-09-09T08:16:00.689-05:002011-09-09T08:16:00.689-05:00Sorry forgot to add that once you know the algorit...Sorry forgot to add that once you know the algorithm you can programically try variations on the application name, versions, path etc until you create a hash that matches the AppID. Most likely you'd probably know the program name, location and maybe even version if it were still on the acquired disk... That way it doesn't really matter that you can't get the name from the hash itself, you create the hashes and see if one matches... does that make sense?Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50800729840644734752011-09-09T08:10:55.342-05:002011-09-09T08:10:55.342-05:00As far as figuring out how AppIDs are calculated: ...As far as figuring out how AppIDs are calculated: even if an AppID is a one way hash like a prefetch hash this is useful. This is because if you know how to calculate the hash, you can validate the AppID of an unknown application in a jumplist on the fly instead of having to do so manually. If you have several unknown applications this saves a lot of time. Since these AppIDs seem to be stable across systems and they are probably a one-way hash calculated using application name, version and path, it just seems like it would be worth figuring out how the hash is calculated... I also agree that creating these lists is a good start.Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53701064953352857492011-09-08T20:21:55.431-05:002011-09-08T20:21:55.431-05:00Anonymous,
Not taking anything away from your po...Anonymous, <br /><br /><i>Not taking anything away from your post but this capability of determining execution of a program using data other than access times has been known through similar means for some time.</i><br /><br />I'm sure...but the point of the post isn't specifically about determining the execution of a program. It's about identifying which application was run when either the Jump List AppID is unknown, or when the application was deleted. <br /><br />Besides, is there really anything wrong with saying it again, or pointing out another artifact (Jump Lists) that can be used?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75730745682524609952011-09-08T20:18:09.676-05:002011-09-08T20:18:09.676-05:00Dan,
I agree that Jamie's suggestion is indee...Dan,<br /><br />I agree that Jamie's suggestion is indeed important, and I wanted to provide a solution that could be used immediately, while (hopefully) efforts are made to pursue identifying the algorithm and developing a solution that way.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-744113491302915942011-09-08T20:11:22.407-05:002011-09-08T20:11:22.407-05:00Thanks for the mention, Harlan.
Jamie's sugge...Thanks for the mention, Harlan.<br /><br />Jamie's suggestion is one that shouldn't be overlooked. I saw her response as well and thought to myself, "well, it definitely would open a lot of doors to find that out." But like you said, the calculation might be similar to a one-way hash, rendering reverse calculation an exercise in futility.<br /><br />However, as Jamie said, it's probably more important to confirm that the hash is or is not reversible than to compile lists of AppIDs that may not be maintained forever. I suppose the AppIDs would be most suited for cases in which the suspect is not particularly tech-savvy and installs apps to their default locations.<br /><br />In any case, I'm glad more people are looking into Jump Lists. Great post.<br /><br />-DanAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-61389686749081087532011-09-08T20:08:07.914-05:002011-09-08T20:08:07.914-05:00Not taking anything away from your post but this c...Not taking anything away from your post but this capability of determining execution of a program using data other than access times has been known through similar means for some time.Anonymousnoreply@blogger.com