Frank McClain

Metadata from Posts, Comments, and Messages

Facebook artifacts for Post, Comment, Message (not necessarily in that order):

Comment (ampersand separated):
charset_test=
fb_dtsg=AQDnBZEP
feedback_params={“actor”:”4286109357″,”target_fbid”:”8457139026″,”target_profile_id”:”4286109357″,”type_id”:”22″,”assoc_obj_id”:”",”source_app_id”:”0″,”extra_story_params”:[],”content_timestamp”:”1336396534″,”check_hash”:”BEOzzl5d9kPtd56X”,”source”:”1″}
translate_on_load=
add_comment_text_text=mmm, chocolate muffins…;)
add_comment_text=mmm, chocolate muffins…;)
link_data={“qid”:”5997325849936326255″,”mf_story_key”:”1055615292714765287″}
comment_replace=optimistic_comment_8228420818_0
comment=1
__user=1181507002
phstamp=165816811066906980789

Notes: Actor and Target_Profile_ID refers to the original post author. Target_FBID is apparently the author of the previous comment. Facebook user IDs encountered during research were 10-digit numeric. Content_Timestamp is Unix format.

Post (ampersand separated):
fb_dtsg=DGRnKTIV
xhpc_composerid=y6ud29_4
xhpc_targetid=1181507002
xhpc_context=home
xhpc_fbx=1
xhpc_timeline=
xhpc_ismeta=1
xhpc_message_text=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
xhpc_message=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
composertags_place=
composertags_place_name=
composer_predicted_city=
composer_session_id=3867336142
is_explicit_place=
audience[0][value]=40
composertags_city=
disable_location_sharing=false
nctr[_mod]=
pagelet_composer __user=1181507002
phstamp=165816811066906980749

Notes: XHPC_TargetID and Pagelet_Composer_User are both the post author’s Facebook ID.

Message (comma separated):
for (;;);{“__ar”:1
“payload”:{“threads”:[{"thread_id":"id.489415769211708"
"last_action_id":"1891362734339000000"
"participants":["fbid:1181507002","fbid:1504162673"]
“name”:null,”snippet”:”this is a test. i’m looking for forensic artifacts… “
“snippet_has_attachment”:false
“is_forwarded_snippet”:false
“snippet_attachments”:[]
“unread_count”:0
“image_src”:”"
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“timestamp”:1336268935102
“is_canonical_user”:true
“is_subscribed”:true
“is_canonical_group”:false
“group_id”:null
“is_canonical_live_listen”:false
“live_listen_id”:null
“is_chatlogger_thread”:false
“root_message_threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“folder”:”inbox”
“is_archived”:false,”chat_clear_time”:-9223372036854775808
“mode”:2}]
“actions”:[{"message_id":"id.489415769211708"
"threading_id":"\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>"
"author":"fbid:1181507002"
"timestamp":1336268935102
"timestamp_absolute":"Sat, 05 May 2012 18:48:55 -0700"
"timestamp_relative":"5 minutes ago"
"is_unread":false
"is_forward":false
"forward_count":0
"forward_message_ids":null,"source":"source:titan:web"
"folder":"inbox","body":"this is a test. i'm looking for forensic artifacts... "
"subject":null
"has_attachment":false
"attachments":[]
“raw_attachments”:null
“is_html”:false
“thread_id”:”id.489415769211708″
“action_id”:”1891362734339000000″
“action_type”:”ma-type:user-generated-message”}]
“end_of_history”:[{"type":"thread","id":"id.489415769211708"}]
“roger”:null
“payload_source”:”server_fetch_thread_info”}}

Notes: Last_Action_ID and Action_ID are the same. Payload, Actions, Thread_ID, and End_of_History all contain the same number, referred to as a message or thread ID. Timestamp (twice) is Unix format. Root_Message_Threading_ID and Threading_ID are the same; this may refer to a profile path.

Filetype: PCAP

Applications Used:

Wireshark
tshark
DIgitalDetective DCode
Woanware Encoder

Notes: 

Evidence was collected by running Wireshark while creating user content on Facebook – Posts, Comments, and Messages. Text-searching did not always work as anticipated (ie, finding my keywords), so I also converted the pcap to text using tshark, and ended up creating additional Facebook content to extend testing.  This was all performed on a Windows system, no portable apps or devices were used.

I cleaned up the content, transforming URL encoding into ASCII, split out into individual lines, etc. The parenthetical statement for each content type indicates the separator. All metadata associated with the user content has been randomly changed (while preserving the format) to anonymize. Timestamps are the exception.

I have not tried to determine “what it all means.” My main goal was to determine the artifacts differentiating a post, message, and comment.

John Lukach

Feed Headlines 1.1.0.0 for Windows Gadget Platform on Windows 7 x64

Windows Gadget Platform allows the Feeds Headlines (RSS) mini-program to be displayed on the desktop. The RSS Gadget determines which feeds and how many to display from settings stored in the C:\Users\Username\AppData\Local\Microsoft\Windows Sidebar\Settings.ini file. These feeds are managed by Internet Explorer using the FeedStore.FeedsDB-MS file found under the C:\ Users\Username\AppData\Local\Microsoft\Feeds path. Other files organized in sub-folder structures in this directory that normally contain the tilde (~) would indicate independent feeds and content downloaded by the RSS Gadget.

The NTUSER.DAT registry hive contains three keys that automate the feed updates under the Software\Microsoft\Feeds path. SyncStatus is used to enable automatic feed updates based on the yes value of “1”. DefaultInterval lets you determine if the updates should occur every 15 minutes, 30 minutes, 1 hour, 4 hours, 1 day, or 1 week intervals. SynTask correlates to a key in the SOFTWARE registry hive that provides a Last Written time stamp of when the scheduled task last ran to update the feeds under Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Sychronization{guid}.

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.

John Lukach

iCloud Control Panel for Windows v1.01

Apple is commonly known for artifacts left on the iPhone, iPad, iPod, and Mac but can also be found on Windows if the iCloud service was enabled. The goal of this post is to provide the application level artifacts that could potentially determine who, what, and when email, contacts, calendar items, tasks, bookmarks, and photos were transferred between devices. It is important to note that operating system artifacts such as registry, event logs, and others will be available for correlation and validation of your findings too.

iCloud maintains detailed logs located in C:\Users\\AppData\Roaming\Apple Computer\Logs to determine the time line of when the features provided by the service were used. Log file naming schema follows this example format asl.221320_23feb12.log based on initial start up and system reboots. Photo Stream log entries provide more granular information on when photos are transferred plus the Bookmark log entries even disclose the primary Apple ID.

The preferences defined for each specific user who used the iCloud service can be found in this directory C:\Users\\AppData\Roaming\Apple Computer\Preferences. Specifically the mobilemeaccounts.plist file contains the account information along with configuration details on each service being used. Additionally the com.apple.dav.bookmark.msie.plist file is of interest as it lists what bookmarks are being transferred to Internet Explorer or Safari.

Media Stream artifacts are located in the C:\Users\\AppData\Roaming\Apple Computer\MediaStream folder. The root level contains a SQLite database called local.db that has the Apple ID plus locations where pictures are uploaded and downloaded on the system. The same path has a DL and UL folder with logs indicating dates and times that a specific number of files were uploaded/downloaded to the locations defined in the database. Each file is assigned a unique asset number like this 0142e0bf66ffe3f3ed826c51e6d3cc4f0eaad7db8d in the logs. It would be nice to determine the algorithm used by Apple, allowing the identification of images outside the defined locations if anyone happens to know?

At this time, there does not appear to be any application specific artifacts for Mail, Calendar, Contacts and Tasks in the iCloud service thus you should be able to use the forensic tool of choice to parse Microsoft Outlook information from the system.

Final artifact of interest is when the iCloud Control Panel is opened you are presented the option to manage the service storage. Looking at the Backups section may give you some insight on the number of mobile devices such as iPhones, iPads, and iPods that are archiving to iCloud with the last successful completion date.

Happy New Year to the digital forensics community from everyone here at Forensic Artifacts! We have been busy with some site changes and additions that will hopefully benefit everyone in the upcoming year.

First, we added a new subdomain, http://ioc.forensicartifacts.com, to assist in sharing information based on Mandiant‘s OpenIOC initiative. The framework and tools released at OpenIOC.org for standardizing and sharing Indicators of Compromise (IOC) allow analysts to quickly identify artifacts of network intrusions. The XML .ioc file produced can easily be shared allowing other analysts to look for the same artifact on different networks.

We created http://ioc.forensicartifacts.com as a place to categorize and share .ioc files. All that is needed is for an examiner to submit the .ioc file allowing us to populate the post and offer the .ioc for download, while other users can comment on the post to help make the .ioc stronger. Other than the Mandiant Forum, this is the only other repository we know of where users can share the IOCs they have created. By adding IOCs to the Forensic Artifacts website, our goal is to aid forensic examiners by having different types of information all under one roof. This should enhance the usefulness of the site and allow examiners to find the information they need much more efficiently.

Second, Rob Lee and SANS have graciously offered up a SANS Lethal Forensicator Coin for anyone submitting six or more artifacts or IOCs in any given year. There is a proud group of forensic analysts who currently possess one of these Round Metal Objects (RMO) and we are lucky enough to provide another avenue of earning the coin. The history of the coin and the term forensicator can be found on the link above. The rules for earning a coin through Forensic Artifacts are the same as the SANS Forensic Blog, simply submit six artifacts or IOCs in the span of a year and you’ll be eligible to earn the coin.

We’re looking forward to serving the community and watching the site grow. Please let us know if you have any suggestions or changes that will strengthen the site and enhance our ability to serve the digital forensics community.

Author Name
Matonis

Artifact Name
Determine SSH Servers Users Connected To

Artifact/Program Version
PuTTY

Categories
User Activity, Active Machines

Description
SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.

Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:

rsa2@[port]:[hostname/IP]

The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.

If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.

Registry Keys
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.

To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.

Related Posts:

• Dropbox Config Files (Windows)
• UserInfo (Windows)
• MiTeC’s Windows Registry Analyzer and Windows Vista 64bit Edition
• Computer Name
• Registry: Common MRUs

Author Name
Sean Cavanaugh – AppleExaminer

Artifact Name
OS X Lion Artifacts

Description
Sean Cavanaugh of AppleExaminer.com maintains a Google Spreadsheet at the link listed below. Since this list is community driven and may change, it is not republished here, however, here is a spreadsheet containing the artifacts as of 11-26-11. This list contains artifacts of User Directories, Safari, Mail, iChat, iPhoto, iTunes, Photo Booth, Address Book, Spotlight, RSS, Saved Application State, Preferences, Autorun Locations, Recent Items, browsers, and specific applications.

Research Links
https://docs.google.com/spreadsheet/ccc?key=0AkBdGlxJhW-ydDlxVUxWUVU0dXVzMzUxRzh2b2ZzaFE&hl=en_US#gid=0

Related Posts:

• System Version (Mac)
• iCloud Service on Windows
• Google Chrome Browser Profile (Mac OS X)
• Stickies (Mac)
• Installed Printers (Mac)

Author Name
Frank McClain

Artifact Name
Nmap/Zenmap

Artifact/Program Version
4.6, 5.1

Description
Artifacts remaining on system after a scan using Nmap/Zenmap (especially Zenmap).  This is not from the standpoint of showing that the application was run, or by whom (so no prefetch, user assist, etc), nor proving that the application was installed at some point. This is from the standpoint of showing the use (ie, how) an application was put to, and the timeframe (ie, when) involved.

In c:\program files\nmap\zenmap\ a file was created when a scan was saved.  This had the same user-selected name as the saved scan, with the extension USR.  So if the scan saved was “test” then the subsequent file would be “test.usr.”  If you find one of these, you can bet the user saved a scan; this file should be identical to that.  It is an XML file that has all the information about the scan.

In %User%\.zenmap (hidden folder) there are primarily three files of interest:  recent_scans.txt, target_list.txt and zenmap.db. Recent_scans.txt is a list of saved scans (or perhaps the .USR instance, it’s inconclusive at this point); all it has is a list of files with their paths.  Target_list.txt is a list of all target IP addresses, separated by semicolons; it has no other information, not even an associated date.  Zenmap.db is the fun one; it’s a SQLite database that contains a history of what scans were run – type of scan, target IP, XML output (ie, basic scan detail) and time.

%User%\%Local%\Temp has another potential treasure trove of evidence.  You may find temporary files (with no extension) located at this level.  Some contain no data, some contain only a small amount, and others provide a detailed breakdown of the scan, really the veritable motherlode, as it shows the time of the scan, each target port, protocol, scan times, and so on.  Very good stuff, when present.  The temporary files that had only a little content basically mirrored the type of content in the USR files, so if you don’t have one, you might have the other and still have some insight into the scan.

And a slightly tangential question posed on twitter was how to identify a scan with packets.  Fairly simple, right – just start Wireshark, run an Nmap scan, and review the results.  Turns out across multiple types of scans run, that there are 60-byte packets, and all have the following content:  00 0d 60 da b4 e7 00 11  25 d1 04 e0 08 00 45 00.  That’s obviously not the entire contents of each packet, but that was consistent across all packets I saw.

File Locations
c:\program files\nmap\zenmap\*.usr (where * is the user-provided filename)
%User%\.zenmap\recent_scans.txt
%User%\.zenmap\target_list.txt
%User%\.zenmap\zenmap.db (SQLite db)
%User%\%Local%\Temp\tmpf5nhgm (these all start with “tmp” and appear to have 6 more characters following)

Research Links
http://forensicaliente.blogspot.com/2011/10/artifacts-created-by-nmapzenmap.html

Forensic Programs of Use
Nmap for Windows (cli) - http://nmap.org/download.html
Zenmap GUI for Nmap for Windows - http://nmap.org/download.html
SQLite Database Browser - http://sqlitebrowser.sourceforge.net/
Wireshark - http://www.wireshark.org/download.html

Author Name
Dan P (@4n6k)

Artifact Name
Jump List AppIDs (Windows 7) – File Sharing/P2P, FTP, IRC, IM/Communications, Usenet Newsreaders, System Cleaners

Category
Windows 7, Jump Lists

Description
The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar.

When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:

- *.automaticDestinations-ms files (in
%appdata%\Microsoft\Windows\Recent\automaticDestinations)

- *.customDestinations-ms files (in
%appdata%\Microsoft\Windows\Recent\customDestinations)

***Note: these directories are hidden***

You have to type in the full path in the address bar to see their contents). The ‘*’ in the above examples is where the Application (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application’s AppID can help identify any given application when user activity is of great importance in an investigation.

AppIds
FileSharing/P2P
——————————————
e0f7a40340179171 imule 1.4.5 (rev. 749) installs to .exe loc AirDC++ 2.10
76f6f1bd18c19698 aMule 2.2.6
cb5250eaef7e3213 ApexDC++ 1.4.3.957
bfc1d76f16fa778f Ares (Galaxy) 1.8.4 / 1.9.8 / 2.1.0 / 2.1.7.3041
depends on location Azureus 0.9.0 (portable)
accca100973ef8dc Azureus 2.0.8.4
ccb36ff8a8c03b4b Azureus 2.5.0.4 / Vuze 3.0.5.0
558c5bd9f906860a BearShare Lite 5.2.5.1
e1d47cb031dafb9f BearShare 6.0.0.22717 / 8.1.0.70928 / 10.0.0.112380
depends on location BitComet 0.39 (portable)
a31ec95fdd5f350f BitComet 0.49 / 0.59 / 0.69 / 0.79 / 0.89 / 0.99 / 1.07 / 1.28
bcd7ba75303acbcf BitLord 1.1
1434d6d62d64857d BitLord 1.2.0-66
e73d9f534ed5618a BitSpirit 1.2.0.228 / 2.0 / 2.6.3.168 / 2.7.2.239 / 2.8.0.072 / 3.1.0.077 / 3.6.0.550
c9374251edb4c1a8 BitTornado T-0.3.17
2d61cccb4338dfc8 BitTorrent 5.0.0 / 6.0.0 / 7.2.1 (Build 25548)
ba3a45f7fd2583e1 Blubster 3.1.1
4a7e4f6a181d3d08 broolzShare
f001ea668c0aa916 Cabos 0.8.2
depends on location CzDC 0.699 (portable)
depends on location Datawire 1.3 (portable)
depends on location DC++ 0.181 (portable)
560d789a6a42ad5a DC++ 0.261 / 0.698 / 0.782 (r2402.1)
4aa2a5710da3efe0 DCSharpHub 2.0.0
2db8e25112ab4453 Deluge 1.3.3
5b186fc4a0b40504 Dtella 1.2.5 (Purdue network only)
2437d4d14b056114 EiskaltDC++ 2.2.3
b3016b8da2077262 eMule 0.50a
cbbe886eca4bfc2d ExoSee 1.0.0
9ad1ec169bf2da7f FlylinkDC++ r405 (Build 7358)
4dd48f858b1a6ba7 Free Download Manager 3.0 (Build 852)
depends on location Freenet (default install dir is C:\Users\$user\…)
depends on location Frost 2011-03-05 (portable)
f214ca2dd40c59c1 FrostWire 4.20.9
73ce3745a843c0a4 FrostWire 5.1.4
98b0ef1c84088 fulDC 6.78
e6ea77a1d4553872 Gnucleus 1.8.6.0
ed49e1e6ccdba2f5 GNUnet 0.8.1a
cc4b36fbfb69a757 gtk-gnutella 0.97
a746f9625f7695e8 HeXHub 5.07
223bf0f360c6fea5 I2P 0.8.8 (restartable)
2ff9dc8fb7e11f39 I2P 0.8.8 (no window)
???????????????? [i2p] i2phex 3.2.0.103.0
f1a4c04eebef2906 [i2p] Robert 0.0.29 Preferences
???????????????? [i2p] Rufus 0.0.4
c8e4c10e5460b00c iMesh 6.5.0.16898
f61b65550a84027e iMesh 11.0.0.112351
d460280b17628695 Java Binary
depends on location Jucy DC 0.85.0.201008281346 (portable)
784182360de0c5b6 Kazaa Lite 1.7.1
a75b276f6e72cf2a Kazaa Lite Tools K++ 2.7.0
ba132e702c0147ef KCeasy 0.19-rc1
a8df13a46d66f6b5 Kommute (Calypso) 0.24
depends on location LamaHub 0.0.5.5 (portable)
c5ef839d8d1c76f4 LimeWire 5.2.13
977a5d147aa093f4 Lphant 3.51
96252daff039437a Lphant 7.0.0.112351
e76a4ef13fbf2bb1 Manolito 3.1.1
99c15cf3e6d52b61 mldonkey 3.1.0
ff224628f0e8103c Morpheus 3.0.3.6
depends on location MUTE File Sharing 0.5.1 (portable)
See Java Binary ID Nodezilla Agent 0.5.15 – built in Java
depends on location Perfect Dark 0.883 / 0.940 / 1.06 / 1.07 (all
portable)
See Java Binary ID Phex 3.4.2 (Build 116) – built in Java
792699a1373f1386 Piolet 3.1.1
ca1eb46544793057 RetroShare 0.5.2a (Build 4550)
3cf13d83b0bd3867 RevConnect 0.674p (based on DC++)
depends on location PtokaX DC Hub 0.4.1.2 (portable)
depends on location RSX++ 1.21 (portable)
5e01ecaf82f7d8e Scour Exchange 0.0.0.228
depends on location StrongDC++ 2.42 (portable)
depends on location TkDC++ 1.3 (portable)
5d7b4175afdcc260 Shareaza 2.0.0.0
b48ce76eda60b97 Shareaza 8.0.0.112300
23f08dab0f6aaf30 SoMud 1.3.3
135df2a440abe9bb SoulSeek 156c
ecd21b58c2f65a2f StealthNet 0.8.7.9
5ea2a50c7979fbdc TrustyFiles 3.1.0.22
depends on location uTorrent 1.1.1-dev (Build 110) / 1.3.0 / 1.5.0 (all portable)
cd8cafb0fb6afdab uTorrent 1.7.7 (Build 8179) / 1.8.5 / 2.0 / 2.21 (Build 25113) / 3.0 (Build 25583)
a75b276f6e72cf2a WinMX 3.53
490c000889535727 WinMX 4.9.3.0
depends on location Winny 2.0b7.1 – all languages (portable)
depends on location xHub 0.2.6.7 (portable)
depends on location YnHub 1.036.152 (portable)
ac3a63b839ac9d3a Vuze 4.6.0.4

FTP
——————————————
d28ee773b2cea9b2 3D-FTP 9.0 build 7
cd2acd4089508507 AbsoluteTelnet 9.18 Lite
e6ef42224b845020 ALFTP 5.20.0.4
9e0b3f677a26bbc4 BitKinex 3.2.3
4cdf7858c6673f4b Bullet Proof FTP 1.26
714b179e552596df Bullet Proof FTP 2.4.0 (Build 31)
20ef367747c22564 Bullet Proof FTP 2010.75.0.75
44a50e6c87bc012 Classic FTP Plus 2.15
4fceec8e021ac978 CoffeeCup Free FTP 3.5.0.0
8deb27dfa31c5c2a CoffeeCup Free FTP 4.4 (Build 1904)
49b5edbd92d8cd58 FTP Commander 8.02
6a316aa67a46820b Core FTP LE 1.3c (Build 1437) / 2.2 (Build 1689)
be4875bb3e0c158f CrossFTP 1.75a
c04f69101c131440 CuteFTP 5.0 (Build 50.6.10.2)
a79a7ce3c45d781 CuteFTP 7.1 (Build 06.06.2005.1)
59e86071b87ac1c3 CuteFTP 8.3 (Build 8.3.4.0007)
d8081f151f4bd8a5 CuteFTP 8.3 Lite (Build 8.3.4.0007)
3198e37206f28dc7 CuteFTP 8.3 Professional (Build 8.3.4.0007)
f82607a219af2999 Cyberduck 4.1.2 (Build 8999)
fa7144034d7d083d Directory Opus 10.0.2.0.4269 (JL tasks supported)
f91fd0c57c4fe449 ExpanDrive 2.1.0
8f852307189803b8 Far Manager 2.0.1807
226400522157fe8b FileZilla Server 0.9.39 beta
a1d19afe5a80f80 FileZilla 2.2.32
e107946bb682ce47 FileZilla 3.5.1
b7cb1d1c1991accf FlashFXP 4.0.0 (Build 1548)
8628e76fd9020e81 Fling File Transfer Plus 2.24
27da120d7e75cf1f pbFTPClient 6.1
f64de962764b9b0f FTPRush 1.1.3 / 2.15
10f5a20c21466e85 FTP Voyager 15.2.0.17
7937df3c65790919 FTP Explorer 10.5.19 (Build 001)
9560577fd87cf573 LeechFTP 1.3 (Build 207)
fc999f29bc5c3560 Robo-FTP 3.7.9
c99ddde925d26df3 Robo-FTP 3.7.9 CronMaker
4b632cf2ceceac35 Robo-FTP Server 3.2.5
3a5148bf2288a434 Secure FTP 2.6.1 (Build 20101209.1254)
435a2f986b404eb7 SmartFTP 4.0.1214.0 explorer integrated Swish
e42a8e0f4d9b8dcf Sysax FTP Automation 5.15
b8c13a5dd8c455a2 Titan FTP Server 8.40 (Build 1338)
7904145af324576e Total Commander 7.56a (Build 16.12.2010)
79370f660ab51725 UploadFTP 2.0.1.0
6a8b377d0f5cb666 WinSCP 2.3.0 (Build 146)
9a3bdae86d5576ee WinSCP 3.2.1 (Build 174) / 3.8.0 (Build 312)
6bb54d82fa42128d WinSCP 4.3.4 (Build 1428)
b6267f3fcb700b60 WiseFTP 4.1.0
a581b8002a6eb671 WiseFTP 5.5.9
2544ff74641b639d WiseFTP 6.1.5
c54b96f328bdc28d WiseFTP 7.3.0 Web-based WS_FTP

IM
——————————————
b3965c840bf28ef4 AIM 4.8.2616
1b29f0dc90366bb AIM 5.9.3857
27ececd8d89b6767 AIM 6.2.14.2 / 6.5.3.12 / 6.9.17.2
6f647f9488d7a AIM 7.5.11.9 (custom AppID + JL support)
ca942805559495e9 aMSN 0.98.4
c6f7b5bf1b9675e4 BitWise IM 1.7.3a
fb1f39d1f230480a Bopup Messenger 5.6.2.9178 (all languages: en,du,fr,ger,rus,es)
dc64de6c91c18300 Brosix Communicator 3.1.3 (Build 110719 nid 1)
f09b920bfb781142 Camfrog 4.0.47 / 5.5.0 / 6.1 (build 146) (JL support)
ebd8c95d87f25154 Carrier 2.5.5
depends on location Coccinella Messenger 0.96.20 (portable)
30d23723bdd5d908 Digsby (Build 30140) (JL support)
728008617bc3e34b eM Client 3.0.10206.0
689319b6547cda85 emesene 2.11.7
454ef7dca3bb16b2 Exodus 0.10.0.0
cca6383a507bac64 Gadu-Gadu 10.5.2.13164
4278d3dc044fc88a Gaim 1.5.0
777483d3cdac1727 Gajim 0.14.4
6aa18a60024620ae GCN 2.9.1
3f2cd46691bbee90 GOIM 1.1.0
73c6a317412687c2 Google Talk 1.0.0.104
b0236d03c0627ac4 ICQ 5.1 / ICQLite Build 1068
a5db18f617e28a51 ICQ 6.5 (Build 2024)
2417caa1f2a881d4 ICQ 7.6 (Build 5617)
recognized VM inSpeak 7.2.0.540
989d7545c2b2e7b2 IMVU 465.8.0.0
a3e0d98f5653b539 Instantbird 1.0 (20110623121653) (JL support)
bcc705f705d8132b Instan-t 5.2 (Build 2824)
6059df4b02360af Kadu 0.10.0 / 0.6.5.5
c312e260e424ae76 Mail.Ru Agent 5.8 (JL support)
22cefa022402327d Meca Messenger 5.3.0.52
depends on location Mercury Messenger (portable)
86b804f7a28a3c17 Miranda IM 0.6.8 / 0.7.6 / 0.8.27 / 0.9.9 / 0.9.29 (ANSI + Unicode)
b868d9201b866d96 Microsoft Lync 4.0.7577.0
8c816c711d66a6b5 MSN Messenger 6.2.0137 / 7.0.0820
depends on location MSNPSharp (portable)
2d1658d5dc3cbe2d MySpaceIM 1.0.823.0 Beta
bf9ae1f46bd9c491 Nimbuzz 2.0.0 (rev 6266)
fb7ca8059b8f2123 ooVoo 3.0.7.21
efb08d4e11e21ece Paltalk Messenger 10.0 (Build 409)
4f24a7b84a7de5a6 Palringo 2.6.3 (r45983)
e93dbdcede8623f2 Pandion 2.6.106
aedd2de3901a77f4 Pidgin 2.0.0 / 2.10.0 / 2.7.3
c5236fd5824c9545 PLAYXPERT 1.0.140.2822
dee18f19c7e3a2ec PopNote 5.21
1a60b1067913516a Psi 0.14
e0532b20aa26a0c9 QQ International 1.1 (2042)
3c0022d9de573095 QuteCom 2.2
93b18adf1d948fa3 qutIM 0.2
e0246018261a9ccc qutIM 0.2.80.0
2aa756186e21b320 RealTimeQuery 3.2
521a29e5d22c13b4 Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117
70b52cf73249257 Sococo 1.5.0.2274
d41746b133d17456 Tkabber 0.11.1
c8aa3eaee3d4343d Trillian 0.74 / 3.1 / 4.2.0.25 / 5.0.0.35 (JL support)
d7d647c92cd5d1e6 uTalk 2.6.4 r47692
36c36598b08891bf Vovox 2.5.3.4250
884fd37e05659f3a VZOchat 6.3.5
3461e4d1eb393c9c WTW 0.8.18.2852 / 0.8.19.2940
f2cb1c38ab948f58 X-Chat 1.8.10 / 2.6.9 / 2.8.9
4e0ac37db19cba15 Xfire 1.138 (Build 44507)
da7e8de5b8273a0f Yahoo Messenger 5.0.0.1226 / 6.0.0.1922
62dba7fb39bb0adc Yahoo Messenger 7.5.0.647 / 8.1.0.421 / 9.0.0.2162 / 10.0.0.1270
fb230a9fe81e71a8 Yahoo Messenger 11.0.0.2014-us
b06a975b62567622 Windows Live Messenger 8.5.1235.0517 BETA
bd249197a6faeff2 Windows Live Messenger 2011

IRC
——————————————
b223c3ffbc0a7a42 Bersirc 2.2.14
c01d68e40226892b ClicksAndWhistles 2.7.146
ac8920ed05001800 DMDirc 0.6.5 (Profile store: C:\Users\$user\AppData\Roaming\DMDirc\)
d3530c5294441522 HydraIRC 0.3.165
8904a5fd2d98b546 IceChat 7.70 20101031
6b3a5ce7ad4af9e4 IceChat 9 RC2
fa496fe13dd62edf KVIrc 3.4.2.1 / 4.0.4
65f7dd884b016ab2 LimeChat 2.39
19ccee0274976da8 mIRC 4.72 / 5.61
ae069d21df1c57df mIRC 6.35 / 7.19
e30bbea3e1642660 Neebly 1.0.4
54c803dfc87b52ba Nettalk 6.7.12
dd658a07478b46c2 PIRCH98 1.0.1.1190
depends on location Quassel IRC 0.7.1 (portable)
6fee01bd55a634fe Smuxi 0.8.0.0
2a5a615382a84729 X-Chat 2 2.8.6-2

Usenet
——————————————
ace8715529916d31 40tude Dialog 2.0.15.1 (Beta 38)
cc76755e0f925ce6 AllPicturez 1.2
36f6bc3efe1d99e0 Alt.Binz 0.25.0 (Build 27.09.2007)
d53b52fb65bde78c Android Newsgroup Downloader 6.2
c845f3a6022d647c Another File 2.03 (Build 2/7/2004)
780732558f827a42 AutoPix 5.3.3
baea31eacd87186b BinaryBoy 1.97 (Build 55)
eab25958dbddbaa4 Binary News Reaper 2 (Beta 0.14.7.448)
bf483b423ebbd327 Binary Vortex 5.0
36801066f71b73c5 Binbot 2.0
13eb0e5d9a49eaef Binjet 3.0.2
8172865a9d5185cb Binreader 1.0 (Beta 1)
6224453d9701a612 BinTube 3.7.1.0 (requires VLC 10.5!)
cf6379a9a987366e Digibin 1.31
43886ba3395acdcc Easy Post 3.0
cfab0ec14b6f953 Express NewsPictures 2.41 (Build 08.05.07.0)
7526de4a8b5914d9 Forte Agent 6.00 (Build 32.1186)
c02baf50d02056fc FotoVac 1.0
3ed70ef3495535f7 Gravity 3.0.4
86781fe8437db23e Messenger Pro 2.66.6.3353
f920768fe275f7f4 Grabit 1.5.3 Beta (Build 909) / 1.6.2 (Build 940) / 1.7.2 Beta 4 (Build 997)
9f03ae476ad461fa GroupsAloud 1.0
d0261ed6e16b200b News File Grabber 4.6.0.4
8211531a7918b389 Newsbin Pro 6.00 (Build 1019) (JL support)
d1fc019238236806 Newsgroup Commander Pro 9.05
186b5ccada1d986b NewsGrabber 3.0.36
4d72cfa1d0a67418 Newsgroup Image Collector
92f1d5db021cd876 NewsLeecher 4.0 / 5.0 Beta 6
d7666c416cba240c NewsMan Pro 3.0.5.2
7b2b4f995b54387d News Reactor 20100224.16
cb984e3bc7faf234 NewsRover 17.0 (Rev.0)
c98ab5ccf25dda79 NewsShark 2.0
dba909a61476ccec NewsWolf 1.41
2b164f512891ae37 NewsWolf NSListGen
cb1d97aca3fb7e6b Newz Crawler 1.9.0 (Build 4100)
3be7b307dfccb58f NiouzeFire 0.8.7.0
de76415e0060ce13 Noworyta News Reader 2.9
cd40ead0b1eb15ab NNTPGrab 0.6.2
d5c02fc7afbb3fd4 NNTPGrab 0.6.2 Server
a4def57ee99d77e9 Nomad News 1.43
3f97341a65bac63a Ozum 6.07 (Build 6070)
bfe841f4d35c92b1 QuadSucker/News 5.0 web-based sabnzbd 0.6.8
d3c5cf21e86b28af SeaMonkey 2.3.3
7a7c60efd66817a2 Spotnet 1.7.4
eb3300e672136bc7 Stream Reactor 1.0 Beta 9 (uses VLC!)
3168cc975b354a01 Slypheed 3.1.2 (Build 1120)
776beb1fcfc6dfa5 Thunderbird 1.0.6 (20050716) / 3.0.2
3d877ec11607fe4 Thunderbird 6.0.2
7192f2de78fd9e96 TIFNY 5.0.3
9dacebaa9ac8ca4e TLNews Newsreader 2.2.0 (Build 2430)
7fd04185af357bd5 UltraLeeacher 1.7.0.2969 / 1.8 Beta (Build 3490)
aa11f575087b3bdc Unzbin 2.6.8 pay only Usenet Explorer 3.3 (pay)
d7db75db9cdd7c5d Xnews 5.04.25

System Cleaners
——————————————
ed7a5cc3cca8d52a CCleaner 1.32.345 / 1.41.544 / 2.36.1233 / 3.10.1525
eb7e629258d326a1 WindowWasher 6.6.1.18

File Locations
- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations)

Research Links

Other Info
This is the second batch of AppIDs. Please check out the original blog
post for which this information was gathered. It provides additional
information and a nice layout for the AppIDs.

• Jump List AppIDs
• NetworkList (Vista/Windows 7)
• Evernote note storage
• Volume Shadow Copies
• Google Chrome Browser Profile (Windows Vista/Windows 7)