tag:blogger.com,1999:blog-9518042.post9210606601199871642..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Jump List AnalysisUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-10022013550934656702011-09-07T20:40:41.949-05:002011-09-07T20:40:41.949-05:00Thanks, Dan!Thanks, Dan!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-16243136908738386402011-09-07T19:30:53.888-05:002011-09-07T19:30:53.888-05:00Harlan,
This was a fantastic post. While the AppI...Harlan,<br /><br />This was a fantastic post. While the AppID list may not be of *top* priority, I think we can agree that it still holds some value. With that, I've gone ahead and continued adding to the list. I will add them to the ForensicsWiki shortly. I've also written a full blog post with all of the information in addition to resources on Jump Lists. You can view it here: <br /><br />http://4n6k.blogspot.com/2011/09/jump-list-forensics-appids-part-1.html<br /><br />Your (and Mark's) work has not gone unnoticed.<br /><br />-4n6kAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50638830007681751922011-08-19T11:16:34.797-05:002011-08-19T11:16:34.797-05:00@Troy, Agree with you but still this message is im...@Troy, Agree with you but still this message is important to pass...Clommo trusthttp://clommo.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-62403176152860261792011-08-17T10:53:08.681-05:002011-08-17T10:53:08.681-05:00Troy,
Thank for you comment. Sorry, I couldn'...Troy,<br /><br />Thank for you comment. Sorry, I couldn't resist. ;-) <br /><br />I'm not sure that AppIDs should be a hurdle, as actually parsing the Jump Lists and correlating them with other information on the system (like, through a timeline...) can give you that information.<br /><br />I think that what's really important here is understanding the value of these artifacts, and where that value can be best realized. There are a lot of "how do I..." questions that are going to come from analysts that will be answered, at least in part, through parsing Jump Lists.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-64320436039614051122011-08-17T08:59:40.765-05:002011-08-17T08:59:40.765-05:00I think there is no question that Jump Lists are i...I think there is no question that Jump Lists are important artifacts for many cases. The amount of data they maintain is considerable. <br /><br />What we need to do in the forensics community is compile a list of application IDs. I provided some in my slides, but that list isn't anywhere close to adequate.<br /><br />Thanks for you work on this. <br /><br />TroyTroyhttp://www.microsoft.comnoreply@blogger.com