Artifacts

Posts Tagged ‘windows 7’


Windows Essentials 2012

Posted by:  /  Tags: , , , , , , ,

Author Name
Matt Nelson – @mattnels
Submission Title
Windows Essentials 2012
Artifact or Program Version
16.4.3508.0205
Artifact Description
“Windows Essentials” – from Wikipedia:
“Windows Essentials (formerly Windows Live Essentials and Windows Live Installer) is a suite of freeware applications by Microsoft that aims to offer integrated and bundled e-mail, instant messaging, photo-sharing, blog publishing, and security services. Essentials programs are designed to integrate well with each other, with Microsoft Windows, and with other Microsoft web-based services such as SkyDrive and Outlook.com, so that they operate as a “seamless whole”.
Windows Essentials 2012 includes the following applications:
Windows Live Messenger
Windows Photo Gallery
Windows Movie Maker
Windows Live Mail
Windows Live Writer
SkyDrive for Windows
Outlook Connector Pack
Windows Live Family Safety (Windows 7 only)
Registry Keys
Registry Entries of interest:
Messenger user account picturefrom Outlook.com:HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertileurl: “http://byfiles.storage.msn.com/y1m4gfKDG3PgZg3XzURbeMEzcTjvII7nIA-llg-rJf2qOEhi8TUOBAUYYFMvIBxPlBhcQEvMWuQX4ley0hvAZ2kCg

Messenger user account picture:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertilepath: “C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2″
This corresponds to the file in C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Communications Clients\Shared\Mail Primary Account: “user@outlook.com” <—main user account under profile

Safe Senders List:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\
HKEY_USERS\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000000
“Flags”=dword:00000001
“Exception”=”somename@someaddress.com

HKEY_USERS\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000001
“Flags”=dword:00000001
“Exception”=”somename2@someaddress2.com

HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@outlook.com

SkyDrive Share:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\cid: “6512e79cec0ce###”

To look at this above share you can utilize the URL https://skydrive.live.com/?cid= and enter the CID number above. This will show you the share drive.

Messenger Credentials:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\OfflineCreds\user@outlook.com: E1 9E D3 29 60 73 A8 19 93 CD 9A E2 3B 45 38 66 6F 06 F2 F2 2F C8 ED 04 27 CA 67 48 CF E1 B2 FD BF 7A D6 80 CE 88 D8 CA 1E 89 D6 84 F0 E3 A0 72 C8 ED AC 70 2B 0D 19 08 F9 0B A4 4B FD B7 3B 7B E5 83 01 06 F3 35 AF 71 AC 61 2F 98 DD 7B EC 81 E0 D0 63 A9 5C 72 58 D7 20 C7 41 AD 16 67 EB 6D 26 D9 B2 DA A7 17 45 62 04 31 B4 29 61 4A 93 00 C8 60 74 94 D8 CF 1A 89 4D DE 5A 32 D3 9E 93 70

LiveWriter entries of interest:

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27 <—this value is unique to the blog on the system, another blog would have a different “id”

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\Categories\xxxxxxxx <—here will be entries for labels/keywords (used Blogger account for testing)

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\BlogName: “SOMEBLOG TITLE” <—blog title
HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\HomepageUrl: “http://someblog.blogspot.com” <—blog URL

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Username: “someusername” <—blog username

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Password: 00 01 00 00 00 FF FF FF FF 01 00 00 00 00 00 00 00 0F 01 00 00 00 06 01 00 00 02 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 81 EE 36 19 D3 B8 54 4C 81 ED C0 2B 40 CC 55 39 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 55 2D AA 69 75 48 29 3F 74 76 93 F6 B8 0C FE 49 C7 17 1C 8A 54 2D EC 06 77 E5 1B 1A 89 D9 01 2E 00 00 00 00 0E 80 00 00 00 02 00 00 20 01 00 00 A0 C2 93 F3 FB DF 5B FB E1 65 09 A9 B1 48 15 1E 49 58 F2 39 35 38 3E EE 56 E2 FD 9C A1 A7 39 18 30 00 00 00 B5 F1 1F D0 8A 6D 68 EC 20 70 AA BD 8F D7 DD 5E 9F AD 78 70 DC E0 D0 F2 55 17 1B A1 C5 C9 CE 05 9A 5B DC 81 60 A2 61 77 E7 16 FC 55 92 A9 A6 17 40 00 00 00 2A A4 E8 00 57 26 CE C8 49 EE 04 88 6F 57 D1 37 48 19 62 A3 11 A2 C7 E8 A5 1C B3 E9 C9 81 00 C1 A8 C9 DB 46 8E 1D B1 AC B7 93 76 36 D6 6C 39 25 65 C3 C1 D 5 A7 D1 16 0A FF 60 49 06 9E 4A 56 25 0B <—if password is saved, this is where it is stored
File Locations
Main Program(s) location:
C:\Program Files (x86)\Windows Live
C:\Program Files (x86)\Windows Live\Contacts
C:\Program Files (x86)\Windows Live\Family Safety
C:\Program Files (x86)\Windows Live\Installer
C:\Program Files (x86)\Windows Live\Mail
C:\Program Files (x86)\Windows Live\Messenger
C:\Program Files (x86)\Windows Live\Photo Gallery
C:\Program Files (x86)\Windows Live\Shared
C:\Program Files (x86)\Windows Live\SOXE
C:\Program Files (x86)\Windows Live\Writer

Main user profile locations:
C:\Users\Chuck\AppData\Local\Windows Live Writer
C:\Users\Chuck\AppData\Local\Microsoft\Feeds
C:\Users\Chuck\AppData\Local\Microsoft\Messenger
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live Mail
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\contacts.edb <—Contacts file
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\dbstore.ini <—LastStartupTime= & LastShutdownTime=
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\LogFiles

Messenger Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\contactslog.txt

SkyDrive Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive\setup\logs\yyyy-mm-dd_timecreated_xxx-xxx.log <–contains info usersid tie to SkyDrive and other info.

Messenger user account (corresponds with Outlook.com picture):
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
Research Links
http://en.wikipedia.org/wiki/Windows_Essentials
http://media.blackhat.com/bh-us-11/Bursztein/BH_US_11_Bursztein_Owade_WP.pdf
http://windows.microsoft.com/en-us/windows-live/essentials
Forensic Programs of Use
Sysinternals Process Monitor
Regshot

Jump List AppIDs (Windows 7) – File Sharing/P2P, FTP, IRC, IM/Communications, Usenet Newsreaders, System Cleaners

Posted by:  /  Tags: , , , , , ,

Author Name
Dan P (@4n6k)

Artifact Name
Jump List AppIDs (Windows 7) – File Sharing/P2P, FTP, IRC, IM/Communications, Usenet Newsreaders, System Cleaners

Category
Windows 7, Jump Lists

Description
The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar.

When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:

- *.automaticDestinations-ms files (in
%appdata%\Microsoft\Windows\Recent\automaticDestinations)

- *.customDestinations-ms files (in
%appdata%\Microsoft\Windows\Recent\customDestinations)

***Note: these directories are hidden***

You have to type in the full path in the address bar to see their contents). The ‘*’ in the above examples is where the Application (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application’s AppID can help identify any given application when user activity is of great importance in an investigation.

AppIds
FileSharing/P2P
——————————————
e0f7a40340179171 imule 1.4.5 (rev. 749) installs to .exe loc AirDC++ 2.10
76f6f1bd18c19698 aMule 2.2.6
cb5250eaef7e3213 ApexDC++ 1.4.3.957
bfc1d76f16fa778f Ares (Galaxy) 1.8.4 / 1.9.8 / 2.1.0 / 2.1.7.3041
depends on location Azureus 0.9.0 (portable)
accca100973ef8dc Azureus 2.0.8.4
ccb36ff8a8c03b4b Azureus 2.5.0.4 / Vuze 3.0.5.0
558c5bd9f906860a BearShare Lite 5.2.5.1
e1d47cb031dafb9f BearShare 6.0.0.22717 / 8.1.0.70928 / 10.0.0.112380
depends on location BitComet 0.39 (portable)
a31ec95fdd5f350f BitComet 0.49 / 0.59 / 0.69 / 0.79 / 0.89 / 0.99 / 1.07 / 1.28
bcd7ba75303acbcf BitLord 1.1
1434d6d62d64857d BitLord 1.2.0-66
e73d9f534ed5618a BitSpirit 1.2.0.228 / 2.0 / 2.6.3.168 / 2.7.2.239 / 2.8.0.072 / 3.1.0.077 / 3.6.0.550
c9374251edb4c1a8 BitTornado T-0.3.17
2d61cccb4338dfc8 BitTorrent 5.0.0 / 6.0.0 / 7.2.1 (Build 25548)
ba3a45f7fd2583e1 Blubster 3.1.1
4a7e4f6a181d3d08 broolzShare
f001ea668c0aa916 Cabos 0.8.2
depends on location CzDC 0.699 (portable)
depends on location Datawire 1.3 (portable)
depends on location DC++ 0.181 (portable)
560d789a6a42ad5a DC++ 0.261 / 0.698 / 0.782 (r2402.1)
4aa2a5710da3efe0 DCSharpHub 2.0.0
2db8e25112ab4453 Deluge 1.3.3
5b186fc4a0b40504 Dtella 1.2.5 (Purdue network only)
2437d4d14b056114 EiskaltDC++ 2.2.3
b3016b8da2077262 eMule 0.50a
cbbe886eca4bfc2d ExoSee 1.0.0
9ad1ec169bf2da7f FlylinkDC++ r405 (Build 7358)
4dd48f858b1a6ba7 Free Download Manager 3.0 (Build 852)
depends on location Freenet (default install dir is C:\Users\$user\…)
depends on location Frost 2011-03-05 (portable)
f214ca2dd40c59c1 FrostWire 4.20.9
73ce3745a843c0a4 FrostWire 5.1.4
98b0ef1c84088 fulDC 6.78
e6ea77a1d4553872 Gnucleus 1.8.6.0
ed49e1e6ccdba2f5 GNUnet 0.8.1a
cc4b36fbfb69a757 gtk-gnutella 0.97
a746f9625f7695e8 HeXHub 5.07
223bf0f360c6fea5 I2P 0.8.8 (restartable)
2ff9dc8fb7e11f39 I2P 0.8.8 (no window)
???????????????? [i2p] i2phex 3.2.0.103.0
f1a4c04eebef2906 [i2p] Robert 0.0.29 Preferences
???????????????? [i2p] Rufus 0.0.4
c8e4c10e5460b00c iMesh 6.5.0.16898
f61b65550a84027e iMesh 11.0.0.112351
d460280b17628695 Java Binary
depends on location Jucy DC 0.85.0.201008281346 (portable)
784182360de0c5b6 Kazaa Lite 1.7.1
a75b276f6e72cf2a Kazaa Lite Tools K++ 2.7.0
ba132e702c0147ef KCeasy 0.19-rc1
a8df13a46d66f6b5 Kommute (Calypso) 0.24
depends on location LamaHub 0.0.5.5 (portable)
c5ef839d8d1c76f4 LimeWire 5.2.13
977a5d147aa093f4 Lphant 3.51
96252daff039437a Lphant 7.0.0.112351
e76a4ef13fbf2bb1 Manolito 3.1.1
99c15cf3e6d52b61 mldonkey 3.1.0
ff224628f0e8103c Morpheus 3.0.3.6
depends on location MUTE File Sharing 0.5.1 (portable)
See Java Binary ID Nodezilla Agent 0.5.15 – built in Java
depends on location Perfect Dark 0.883 / 0.940 / 1.06 / 1.07 (all
portable)
See Java Binary ID Phex 3.4.2 (Build 116) – built in Java
792699a1373f1386 Piolet 3.1.1
ca1eb46544793057 RetroShare 0.5.2a (Build 4550)
3cf13d83b0bd3867 RevConnect 0.674p (based on DC++)
depends on location PtokaX DC Hub 0.4.1.2 (portable)
depends on location RSX++ 1.21 (portable)
5e01ecaf82f7d8e Scour Exchange 0.0.0.228
depends on location StrongDC++ 2.42 (portable)
depends on location TkDC++ 1.3 (portable)
5d7b4175afdcc260 Shareaza 2.0.0.0
b48ce76eda60b97 Shareaza 8.0.0.112300
23f08dab0f6aaf30 SoMud 1.3.3
135df2a440abe9bb SoulSeek 156c
ecd21b58c2f65a2f StealthNet 0.8.7.9
5ea2a50c7979fbdc TrustyFiles 3.1.0.22
depends on location uTorrent 1.1.1-dev (Build 110) / 1.3.0 / 1.5.0 (all portable)
cd8cafb0fb6afdab uTorrent 1.7.7 (Build 8179) / 1.8.5 / 2.0 / 2.21 (Build 25113) / 3.0 (Build 25583)
a75b276f6e72cf2a WinMX 3.53
490c000889535727 WinMX 4.9.3.0
depends on location Winny 2.0b7.1 – all languages (portable)
depends on location xHub 0.2.6.7 (portable)
depends on location YnHub 1.036.152 (portable)
ac3a63b839ac9d3a Vuze 4.6.0.4

FTP
——————————————
d28ee773b2cea9b2 3D-FTP 9.0 build 7
cd2acd4089508507 AbsoluteTelnet 9.18 Lite
e6ef42224b845020 ALFTP 5.20.0.4
9e0b3f677a26bbc4 BitKinex 3.2.3
4cdf7858c6673f4b Bullet Proof FTP 1.26
714b179e552596df Bullet Proof FTP 2.4.0 (Build 31)
20ef367747c22564 Bullet Proof FTP 2010.75.0.75
44a50e6c87bc012 Classic FTP Plus 2.15
4fceec8e021ac978 CoffeeCup Free FTP 3.5.0.0
8deb27dfa31c5c2a CoffeeCup Free FTP 4.4 (Build 1904)
49b5edbd92d8cd58 FTP Commander 8.02
6a316aa67a46820b Core FTP LE 1.3c (Build 1437) / 2.2 (Build 1689)
be4875bb3e0c158f CrossFTP 1.75a
c04f69101c131440 CuteFTP 5.0 (Build 50.6.10.2)
a79a7ce3c45d781 CuteFTP 7.1 (Build 06.06.2005.1)
59e86071b87ac1c3 CuteFTP 8.3 (Build 8.3.4.0007)
d8081f151f4bd8a5 CuteFTP 8.3 Lite (Build 8.3.4.0007)
3198e37206f28dc7 CuteFTP 8.3 Professional (Build 8.3.4.0007)
f82607a219af2999 Cyberduck 4.1.2 (Build 8999)
fa7144034d7d083d Directory Opus 10.0.2.0.4269 (JL tasks supported)
f91fd0c57c4fe449 ExpanDrive 2.1.0
8f852307189803b8 Far Manager 2.0.1807
226400522157fe8b FileZilla Server 0.9.39 beta
a1d19afe5a80f80 FileZilla 2.2.32
e107946bb682ce47 FileZilla 3.5.1
b7cb1d1c1991accf FlashFXP 4.0.0 (Build 1548)
8628e76fd9020e81 Fling File Transfer Plus 2.24
27da120d7e75cf1f pbFTPClient 6.1
f64de962764b9b0f FTPRush 1.1.3 / 2.15
10f5a20c21466e85 FTP Voyager 15.2.0.17
7937df3c65790919 FTP Explorer 10.5.19 (Build 001)
9560577fd87cf573 LeechFTP 1.3 (Build 207)
fc999f29bc5c3560 Robo-FTP 3.7.9
c99ddde925d26df3 Robo-FTP 3.7.9 CronMaker
4b632cf2ceceac35 Robo-FTP Server 3.2.5
3a5148bf2288a434 Secure FTP 2.6.1 (Build 20101209.1254)
435a2f986b404eb7 SmartFTP 4.0.1214.0 explorer integrated Swish
e42a8e0f4d9b8dcf Sysax FTP Automation 5.15
b8c13a5dd8c455a2 Titan FTP Server 8.40 (Build 1338)
7904145af324576e Total Commander 7.56a (Build 16.12.2010)
79370f660ab51725 UploadFTP 2.0.1.0
6a8b377d0f5cb666 WinSCP 2.3.0 (Build 146)
9a3bdae86d5576ee WinSCP 3.2.1 (Build 174) / 3.8.0 (Build 312)
6bb54d82fa42128d WinSCP 4.3.4 (Build 1428)
b6267f3fcb700b60 WiseFTP 4.1.0
a581b8002a6eb671 WiseFTP 5.5.9
2544ff74641b639d WiseFTP 6.1.5
c54b96f328bdc28d WiseFTP 7.3.0 Web-based WS_FTP

IM
——————————————
b3965c840bf28ef4 AIM 4.8.2616
1b29f0dc90366bb AIM 5.9.3857
27ececd8d89b6767 AIM 6.2.14.2 / 6.5.3.12 / 6.9.17.2
6f647f9488d7a AIM 7.5.11.9 (custom AppID + JL support)
ca942805559495e9 aMSN 0.98.4
c6f7b5bf1b9675e4 BitWise IM 1.7.3a
fb1f39d1f230480a Bopup Messenger 5.6.2.9178 (all languages: en,du,fr,ger,rus,es)
dc64de6c91c18300 Brosix Communicator 3.1.3 (Build 110719 nid 1)
f09b920bfb781142 Camfrog 4.0.47 / 5.5.0 / 6.1 (build 146) (JL support)
ebd8c95d87f25154 Carrier 2.5.5
depends on location Coccinella Messenger 0.96.20 (portable)
30d23723bdd5d908 Digsby (Build 30140) (JL support)
728008617bc3e34b eM Client 3.0.10206.0
689319b6547cda85 emesene 2.11.7
454ef7dca3bb16b2 Exodus 0.10.0.0
cca6383a507bac64 Gadu-Gadu 10.5.2.13164
4278d3dc044fc88a Gaim 1.5.0
777483d3cdac1727 Gajim 0.14.4
6aa18a60024620ae GCN 2.9.1
3f2cd46691bbee90 GOIM 1.1.0
73c6a317412687c2 Google Talk 1.0.0.104
b0236d03c0627ac4 ICQ 5.1 / ICQLite Build 1068
a5db18f617e28a51 ICQ 6.5 (Build 2024)
2417caa1f2a881d4 ICQ 7.6 (Build 5617)
recognized VM inSpeak 7.2.0.540
989d7545c2b2e7b2 IMVU 465.8.0.0
a3e0d98f5653b539 Instantbird 1.0 (20110623121653) (JL support)
bcc705f705d8132b Instan-t 5.2 (Build 2824)
6059df4b02360af Kadu 0.10.0 / 0.6.5.5
c312e260e424ae76 Mail.Ru Agent 5.8 (JL support)
22cefa022402327d Meca Messenger 5.3.0.52
depends on location Mercury Messenger (portable)
86b804f7a28a3c17 Miranda IM 0.6.8 / 0.7.6 / 0.8.27 / 0.9.9 / 0.9.29 (ANSI + Unicode)
b868d9201b866d96 Microsoft Lync 4.0.7577.0
8c816c711d66a6b5 MSN Messenger 6.2.0137 / 7.0.0820
depends on location MSNPSharp (portable)
2d1658d5dc3cbe2d MySpaceIM 1.0.823.0 Beta
bf9ae1f46bd9c491 Nimbuzz 2.0.0 (rev 6266)
fb7ca8059b8f2123 ooVoo 3.0.7.21
efb08d4e11e21ece Paltalk Messenger 10.0 (Build 409)
4f24a7b84a7de5a6 Palringo 2.6.3 (r45983)
e93dbdcede8623f2 Pandion 2.6.106
aedd2de3901a77f4 Pidgin 2.0.0 / 2.10.0 / 2.7.3
c5236fd5824c9545 PLAYXPERT 1.0.140.2822
dee18f19c7e3a2ec PopNote 5.21
1a60b1067913516a Psi 0.14
e0532b20aa26a0c9 QQ International 1.1 (2042)
3c0022d9de573095 QuteCom 2.2
93b18adf1d948fa3 qutIM 0.2
e0246018261a9ccc qutIM 0.2.80.0
2aa756186e21b320 RealTimeQuery 3.2
521a29e5d22c13b4 Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117
70b52cf73249257 Sococo 1.5.0.2274
d41746b133d17456 Tkabber 0.11.1
c8aa3eaee3d4343d Trillian 0.74 / 3.1 / 4.2.0.25 / 5.0.0.35 (JL support)
d7d647c92cd5d1e6 uTalk 2.6.4 r47692
36c36598b08891bf Vovox 2.5.3.4250
884fd37e05659f3a VZOchat 6.3.5
3461e4d1eb393c9c WTW 0.8.18.2852 / 0.8.19.2940
f2cb1c38ab948f58 X-Chat 1.8.10 / 2.6.9 / 2.8.9
4e0ac37db19cba15 Xfire 1.138 (Build 44507)
da7e8de5b8273a0f Yahoo Messenger 5.0.0.1226 / 6.0.0.1922
62dba7fb39bb0adc Yahoo Messenger 7.5.0.647 / 8.1.0.421 / 9.0.0.2162 / 10.0.0.1270
fb230a9fe81e71a8 Yahoo Messenger 11.0.0.2014-us
b06a975b62567622 Windows Live Messenger 8.5.1235.0517 BETA
bd249197a6faeff2 Windows Live Messenger 2011

IRC
——————————————
b223c3ffbc0a7a42 Bersirc 2.2.14
c01d68e40226892b ClicksAndWhistles 2.7.146
ac8920ed05001800 DMDirc 0.6.5 (Profile store: C:\Users\$user\AppData\Roaming\DMDirc\)
d3530c5294441522 HydraIRC 0.3.165
8904a5fd2d98b546 IceChat 7.70 20101031
6b3a5ce7ad4af9e4 IceChat 9 RC2
fa496fe13dd62edf KVIrc 3.4.2.1 / 4.0.4
65f7dd884b016ab2 LimeChat 2.39
19ccee0274976da8 mIRC 4.72 / 5.61
ae069d21df1c57df mIRC 6.35 / 7.19
e30bbea3e1642660 Neebly 1.0.4
54c803dfc87b52ba Nettalk 6.7.12
dd658a07478b46c2 PIRCH98 1.0.1.1190
depends on location Quassel IRC 0.7.1 (portable)
6fee01bd55a634fe Smuxi 0.8.0.0
2a5a615382a84729 X-Chat 2 2.8.6-2

Usenet
——————————————
ace8715529916d31 40tude Dialog 2.0.15.1 (Beta 38)
cc76755e0f925ce6 AllPicturez 1.2
36f6bc3efe1d99e0 Alt.Binz 0.25.0 (Build 27.09.2007)
d53b52fb65bde78c Android Newsgroup Downloader 6.2
c845f3a6022d647c Another File 2.03 (Build 2/7/2004)
780732558f827a42 AutoPix 5.3.3
baea31eacd87186b BinaryBoy 1.97 (Build 55)
eab25958dbddbaa4 Binary News Reaper 2 (Beta 0.14.7.448)
bf483b423ebbd327 Binary Vortex 5.0
36801066f71b73c5 Binbot 2.0
13eb0e5d9a49eaef Binjet 3.0.2
8172865a9d5185cb Binreader 1.0 (Beta 1)
6224453d9701a612 BinTube 3.7.1.0 (requires VLC 10.5!)
cf6379a9a987366e Digibin 1.31
43886ba3395acdcc Easy Post 3.0
cfab0ec14b6f953 Express NewsPictures 2.41 (Build 08.05.07.0)
7526de4a8b5914d9 Forte Agent 6.00 (Build 32.1186)
c02baf50d02056fc FotoVac 1.0
3ed70ef3495535f7 Gravity 3.0.4
86781fe8437db23e Messenger Pro 2.66.6.3353
f920768fe275f7f4 Grabit 1.5.3 Beta (Build 909) / 1.6.2 (Build 940) / 1.7.2 Beta 4 (Build 997)
9f03ae476ad461fa GroupsAloud 1.0
d0261ed6e16b200b News File Grabber 4.6.0.4
8211531a7918b389 Newsbin Pro 6.00 (Build 1019) (JL support)
d1fc019238236806 Newsgroup Commander Pro 9.05
186b5ccada1d986b NewsGrabber 3.0.36
4d72cfa1d0a67418 Newsgroup Image Collector
92f1d5db021cd876 NewsLeecher 4.0 / 5.0 Beta 6
d7666c416cba240c NewsMan Pro 3.0.5.2
7b2b4f995b54387d News Reactor 20100224.16
cb984e3bc7faf234 NewsRover 17.0 (Rev.0)
c98ab5ccf25dda79 NewsShark 2.0
dba909a61476ccec NewsWolf 1.41
2b164f512891ae37 NewsWolf NSListGen
cb1d97aca3fb7e6b Newz Crawler 1.9.0 (Build 4100)
3be7b307dfccb58f NiouzeFire 0.8.7.0
de76415e0060ce13 Noworyta News Reader 2.9
cd40ead0b1eb15ab NNTPGrab 0.6.2
d5c02fc7afbb3fd4 NNTPGrab 0.6.2 Server
a4def57ee99d77e9 Nomad News 1.43
3f97341a65bac63a Ozum 6.07 (Build 6070)
bfe841f4d35c92b1 QuadSucker/News 5.0 web-based sabnzbd 0.6.8
d3c5cf21e86b28af SeaMonkey 2.3.3
7a7c60efd66817a2 Spotnet 1.7.4
eb3300e672136bc7 Stream Reactor 1.0 Beta 9 (uses VLC!)
3168cc975b354a01 Slypheed 3.1.2 (Build 1120)
776beb1fcfc6dfa5 Thunderbird 1.0.6 (20050716) / 3.0.2
3d877ec11607fe4 Thunderbird 6.0.2
7192f2de78fd9e96 TIFNY 5.0.3
9dacebaa9ac8ca4e TLNews Newsreader 2.2.0 (Build 2430)
7fd04185af357bd5 UltraLeeacher 1.7.0.2969 / 1.8 Beta (Build 3490)
aa11f575087b3bdc Unzbin 2.6.8 pay only Usenet Explorer 3.3 (pay)
d7db75db9cdd7c5d Xnews 5.04.25

System Cleaners
——————————————
ed7a5cc3cca8d52a CCleaner 1.32.345 / 1.41.544 / 2.36.1233 / 3.10.1525
eb7e629258d326a1 WindowWasher 6.6.1.18

File Locations
- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations)

Research Links








Other Info
This is the second batch of AppIDs. Please check out the original blog
post for which this information was gathered. It provides additional
information and a nice layout for the AppIDs.

Jump List AppIDs

Posted by:  /  Tags: ,

Author Name
Dan P (@4n6k)

Artifact Name
Jump List AppIDs (Windows 7) – browsers, utilities, image viewers, and
media players

Categories
Windows 7, Jump Lists

Description
The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar.

When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:

- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)

- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations).

***Note: these directories are hidden***

You have to type in the full path in the address bar to see their contents). The ‘*’ in the above examples is where the Application (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application’s AppID can help identify any given application when user activity is of great importance in an investigation.

AppIDs

Internet Browsers
——————————————
5d696d521de238c3 Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215
cfb56c56fa0f0a54 Mozilla 0.9.9
5c450709f7ae4396 Firefox 1.0 / 2.0 / 3.0
5df4765359170e26 Firefox 4.0.1
1eb796d87c32eff9 Firefox 5.0
1461132e553e2e6c Firefox 6.0
28c8b86deab549a1 Internet Explorer 8 / 9
16ec093b8f51508f Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074
8a1c1c7c389a5320 Safari 3.2.3 (525.29)
1da3c90a72bf5527 Safari 4.0.5 (531.22.7) / 5.1 (7534.50)

Utilities
——————————————
3dc02b55e44d6697 7-Zip 3.13 / 4.20
4975d6798a8bdf66 7-Zip 4.65 / 9.20
4b6925efc53a3c08 BCWipe 5.02.2 Task Manager 3.02.3
337ed59af273c758 Sticky Notes
290532160612e071 WinRAR 2.90 / 3.60 / 4.01
c9950c443027c765 WinZip 9.0 SR-1 (6224) / 10.0 (6667)
b74736c2bd8cc8a5 WinZip 15.5 (9468)
bc0c37e84e063727 Windows Command Processor – cmd.exe (32-bit)

Image/Document Viewers
——————————————
f0468ce1ae57883d Adobe Reader 7.1.0
c2d349a0e756411b Adobe Reader 8.1.2
23646679aaccfae0 Adobe Acrobat 9.4.0
ee462c3b81abb6f6 Adobe Reader X 10.1.0
386a2f6aa7967f36 EyeBrowse 2.7
e31a6a8a7506f733 Image AXS Pro 4.1
b39c5f226977725d ACDSee Pro 8.1.99
59f56184c796cfd4 ACDSee Photo Manager 10 (Build 219)
8bd5c6433ca967e9 ACDSee Photo Manager 2009 (v11.0 Build 113)
d838aac097abece7 ACDSee Photo Manager 12 (Build 344)
b3f13480c2785ae Paint 6.1 (build 7601: SP1)
7cb0735d45243070 CDisplay 1.8.1.0
3594aab44bca414b Windows Photo Viewer
3edf100b207e2199 digiKam 1.7.0 (KDE 4.4.4)
169b3be0bc43d592 FastPictureViewer Professional 1.6 (Build 211)
e9a39dfba105ea23 FastStone Image Viewer 4.6
edc786643819316c HoneyView3 #5834
76689ff502a1fd9e Imagine Image and Animation Viewer 1.0.7
2519133d6d830f7e IMatch 3.6.0.113
1110d9896dceddb3 imgSeek 0.8.5
c634153e7f5fce9c IrfanView 3.10 / 4.30
ea83017cdd24374d IrfanView Thumbnails
3917dd550d7df9a8 Konvertor 4.06 (Build 10)
2fa14c7753239e4c Paint.NET 2.72 / 3.5.8.4081.24580
d33ecf70f0b74a77 Picasa 2.2.0 (Build 28.08, 0)
b17d3d0c9ca7e29 Picasa 3.8.0 (Build 117.43, 0) Embedded in IE Prizm Viewer depends on Location Scientific and Technical Document Viewer 1.6.2 Portable (STDU)
c5c24a503b1727df XnView 1.98.2 Small / 1.98.2 Standard
497b42680f564128 Zoner PhotoStudio 13 (Build 7)

Media Players
——————————————
d22ad6d9d20e6857 ALLPlayer 4.7
7494a606a9eef18e Crystal Player 1.98
1cffbe973a437c74 DSPlayer 0.889 Lite
817bb211c92fd254 GOM Player 2.0.12.3375 / 2.1.28.5039
6bc3383cb68a3e37 iTunes 7.6.0.29 / 8.0.0.35
83b03b46dcd30a0e iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom ‘Tasks’ JL capability)
fe5e840511621941 JetAudio 5.1.9.3018 Basic / 6.2.5.8220 Basic / 7.0.0 Basic / 8.0.16.2000 Basic
a777ad264b54abab JetVideo 8.0.2.200 Basic
3c93a049a30e25e6 J. River Media Center 16.0.149
4a49906d074a3ad3 Media Go 1.8 (Build 121)
1cf97c38a5881255 MediaPortal 1.1.3
Depends on location Media Player Classic 6.4.8.9 (is portable)
Depends on location Media Player Classic – Home Cinema 1.5.2.3456 (default install is \Users\user\ dir, so dynamic)
62bff50b969c2575 Quintessential Media Player 5.0 (Build 121) – also usage stats (times used, tracks played, total time used)
b50ee40805bd280f QuickTime Alternative 1.9.5 (Media Player Classic 6.4.9.1)
ae3f2acd395b622e QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13)
7593af37134fd767 RealPlayer 6.0.6.99 / 7 / 8 / 10.5
37392221756de927 RealPlayer SP 12
f92e607f9de02413 RealPlayer 14.0.6.666
6e9d40a4c63bb562 Real Player Alternative 1.25 (Media Player Classic 6.4.8.2 / 6.4.9.0)
c91d08dcfc39a506 SM Player 0.6.9 r3447
e40cb5a291ad1a5b Songbird 1.9.3 (Build 1959)
4d8bdacf5265a04f The KMPlayer 2.9.4.1434
4acae695c73a28c7 VLC 0.3.0 / 0.4.6
9fda41b86ddcf1db VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11
e6ee34ac9913c0a9 VLC 0.6.2
cbeb786f0132005d VLC 0.7.2
f674c3a77cfe39d0 Winamp 2.95 / 5.1 / 5.621
90e5e8b21d7e7924 Winamp 3.0d (Build 488)
74d7f43c1561fc1e Windows Media Player 12.0.7601.17514

FileSharing/P2P
——————————————
e0f7a40340179171    imule 1.4.5 (rev. 749)
installs to .exe loc    AirDC++ 2.10
76f6f1bd18c19698        aMule 2.2.6
cb5250eaef7e3213        ApexDC++ 1.4.3.957
bfc1d76f16fa778f                Ares (Galaxy) 1.8.4 / 1.9.8 / 2.1.0 / 2.1.7.3041
depends on location     Azureus 0.9.0 (portable)
accca100973ef8dc        Azureus 2.0.8.4
ccb36ff8a8c03b4b        Azureus 2.5.0.4 / Vuze 3.0.5.0
558c5bd9f906860a        BearShare Lite 5.2.5.1
e1d47cb031dafb9f        BearShare 6.0.0.22717 / 8.1.0.70928 / 10.0.0.112380
depends on location     BitComet 0.39 (portable)
a31ec95fdd5f350f        BitComet 0.49 / 0.59 / 0.69 / 0.79 / 0.89 / 0.99 /
1.07 / 1.28
bcd7ba75303acbcf        BitLord 1.1
1434d6d62d64857d        BitLord 1.2.0-66
e73d9f534ed5618a        BitSpirit 1.2.0.228 / 2.0 / 2.6.3.168 / 2.7.2.239 /
2.8.0.072 / 3.1.0.077 / 3.6.0.550
c9374251edb4c1a8        BitTornado T-0.3.17
2d61cccb4338dfc8        BitTorrent 5.0.0 / 6.0.0 / 7.2.1 (Build 25548)
ba3a45f7fd2583e1        Blubster 3.1.1
4a7e4f6a181d3d08        broolzShare
f001ea668c0aa916        Cabos 0.8.2
depends on location     CzDC 0.699 (portable)
depends on location     Datawire 1.3 (portable)
depends on location     DC++ 0.181 (portable)
560d789a6a42ad5a        DC++ 0.261 / 0.698 / 0.782 (r2402.1)
4aa2a5710da3efe0        DCSharpHub 2.0.0
2db8e25112ab4453        Deluge 1.3.3
5b186fc4a0b40504        Dtella 1.2.5 (Purdue network only)
2437d4d14b056114        EiskaltDC++ 2.2.3
b3016b8da2077262        eMule 0.50a
cbbe886eca4bfc2d        ExoSee 1.0.0
9ad1ec169bf2da7f        FlylinkDC++ r405 (Build 7358)
4dd48f858b1a6ba7        Free Download Manager 3.0 (Build 852)
depends on location     Freenet (default install dir is
C:\Users\$user\…)
depends on location     Frost 2011-03-05 (portable)
f214ca2dd40c59c1        FrostWire 4.20.9
73ce3745a843c0a4        FrostWire 5.1.4
98b0ef1c84088           fulDC 6.78
e6ea77a1d4553872        Gnucleus 1.8.6.0
ed49e1e6ccdba2f5        GNUnet 0.8.1a
cc4b36fbfb69a757        gtk-gnutella 0.97
a746f9625f7695e8        HeXHub 5.07
223bf0f360c6fea5        I2P 0.8.8 (restartable)
2ff9dc8fb7e11f39        I2P 0.8.8 (no window)
????????????????        [i2p] i2phex 3.2.0.103.0
f1a4c04eebef2906        [i2p] Robert 0.0.29 Preferences
????????????????        [i2p] Rufus 0.0.4
c8e4c10e5460b00c        iMesh 6.5.0.16898
f61b65550a84027e        iMesh 11.0.0.112351
d460280b17628695        Java Binary
depends on location     Jucy DC 0.85.0.201008281346 (portable)
784182360de0c5b6        Kazaa Lite 1.7.1
a75b276f6e72cf2a        Kazaa Lite Tools K++ 2.7.0
ba132e702c0147ef        KCeasy 0.19-rc1
a8df13a46d66f6b5        Kommute (Calypso) 0.24
depends on location     LamaHub 0.0.5.5 (portable)
c5ef839d8d1c76f4        LimeWire 5.2.13
977a5d147aa093f4        Lphant 3.51
96252daff039437a        Lphant 7.0.0.112351
e76a4ef13fbf2bb1        Manolito 3.1.1
99c15cf3e6d52b61        mldonkey 3.1.0
ff224628f0e8103c        Morpheus 3.0.3.6
depends on location     MUTE File Sharing 0.5.1 (portable)
See Java Binary ID      Nodezilla Agent 0.5.15 – built in Java
depends on location     Perfect Dark 0.883 / 0.940 / 1.06 / 1.07 (all
portable)
See Java Binary ID      Phex 3.4.2 (Build 116) – built in Java
792699a1373f1386        Piolet 3.1.1
ca1eb46544793057        RetroShare 0.5.2a (Build 4550)
3cf13d83b0bd3867        RevConnect 0.674p (based on DC++)
depends on location     PtokaX DC Hub 0.4.1.2 (portable)
depends on location     RSX++ 1.21 (portable)
5e01ecaf82f7d8e Scour Exchange 0.0.0.228
depends on location     StrongDC++ 2.42 (portable)
depends on location     TkDC++ 1.3 (portable)
5d7b4175afdcc260        Shareaza 2.0.0.0
b48ce76eda60b97 Shareaza 8.0.0.112300
23f08dab0f6aaf30        SoMud 1.3.3
135df2a440abe9bb        SoulSeek 156c
ecd21b58c2f65a2f        StealthNet 0.8.7.9
5ea2a50c7979fbdc        TrustyFiles 3.1.0.22
depends on location     uTorrent 1.1.1-dev (Build 110) / 1.3.0 / 1.5.0
(all portable)
cd8cafb0fb6afdab        uTorrent 1.7.7 (Build 8179) / 1.8.5 / 2.0 / 2.21
(Build 25113) / 3.0 (Build 25583)
a75b276f6e72cf2a        WinMX 3.53
490c000889535727        WinMX 4.9.3.0
depends on location     Winny 2.0b7.1 – all languages (portable)
depends on location     xHub 0.2.6.7 (portable)
depends on location     YnHub 1.036.152 (portable)
ac3a63b839ac9d3a        Vuze 4.6.0.4

FTP
——————————————
d28ee773b2cea9b2        3D-FTP 9.0 build 7
cd2acd4089508507        AbsoluteTelnet 9.18 Lite
e6ef42224b845020        ALFTP 5.20.0.4
9e0b3f677a26bbc4        BitKinex 3.2.3
4cdf7858c6673f4b        Bullet Proof FTP 1.26
714b179e552596df        Bullet Proof FTP 2.4.0 (Build 31)
20ef367747c22564        Bullet Proof FTP 2010.75.0.75
44a50e6c87bc012 Classic FTP Plus 2.15
4fceec8e021ac978        CoffeeCup Free FTP 3.5.0.0
8deb27dfa31c5c2a        CoffeeCup Free FTP 4.4 (Build 1904)
49b5edbd92d8cd58        FTP Commander 8.02
6a316aa67a46820b        Core FTP LE 1.3c (Build 1437) / 2.2 (Build 1689)
be4875bb3e0c158f        CrossFTP 1.75a
c04f69101c131440        CuteFTP 5.0 (Build 50.6.10.2)
a79a7ce3c45d781 CuteFTP 7.1 (Build 06.06.2005.1)
59e86071b87ac1c3        CuteFTP 8.3 (Build 8.3.4.0007)
d8081f151f4bd8a5        CuteFTP 8.3 Lite (Build 8.3.4.0007)
3198e37206f28dc7        CuteFTP 8.3 Professional (Build 8.3.4.0007)
f82607a219af2999        Cyberduck 4.1.2 (Build 8999)
fa7144034d7d083d        Directory Opus 10.0.2.0.4269 (JL tasks supported)
f91fd0c57c4fe449        ExpanDrive 2.1.0
8f852307189803b8        Far Manager 2.0.1807
226400522157fe8b        FileZilla Server 0.9.39 beta
a1d19afe5a80f80 FileZilla 2.2.32
e107946bb682ce47        FileZilla 3.5.1
b7cb1d1c1991accf        FlashFXP 4.0.0 (Build 1548)
8628e76fd9020e81        Fling File Transfer Plus 2.24
27da120d7e75cf1f        pbFTPClient 6.1
f64de962764b9b0f        FTPRush 1.1.3 / 2.15
10f5a20c21466e85        FTP Voyager 15.2.0.17
7937df3c65790919        FTP Explorer 10.5.19 (Build 001)
9560577fd87cf573        LeechFTP 1.3 (Build 207)
fc999f29bc5c3560        Robo-FTP 3.7.9
c99ddde925d26df3        Robo-FTP 3.7.9 CronMaker
4b632cf2ceceac35        Robo-FTP Server 3.2.5
3a5148bf2288a434        Secure FTP 2.6.1 (Build 20101209.1254)
435a2f986b404eb7        SmartFTP 4.0.1214.0
explorer integrated     Swish
e42a8e0f4d9b8dcf        Sysax FTP Automation 5.15
b8c13a5dd8c455a2        Titan FTP Server 8.40 (Build 1338)
7904145af324576e        Total Commander 7.56a (Build 16.12.2010)
79370f660ab51725        UploadFTP 2.0.1.0
6a8b377d0f5cb666        WinSCP 2.3.0 (Build 146)
9a3bdae86d5576ee        WinSCP 3.2.1 (Build 174) / 3.8.0 (Build 312)
6bb54d82fa42128d        WinSCP 4.3.4 (Build 1428)
b6267f3fcb700b60        WiseFTP 4.1.0
a581b8002a6eb671        WiseFTP 5.5.9
2544ff74641b639d        WiseFTP 6.1.5
c54b96f328bdc28d        WiseFTP 7.3.0
Web-based                       WS_FTP

IM
——————————————
b3965c840bf28ef4        AIM 4.8.2616
1b29f0dc90366bb AIM 5.9.3857
27ececd8d89b6767        AIM 6.2.14.2 / 6.5.3.12 / 6.9.17.2
6f647f9488d7a           AIM 7.5.11.9 (custom AppID + JL support)
ca942805559495e9        aMSN 0.98.4
c6f7b5bf1b9675e4        BitWise IM 1.7.3a
fb1f39d1f230480a        Bopup Messenger 5.6.2.9178 (all languages:
en,du,fr,ger,rus,es)
dc64de6c91c18300        Brosix Communicator 3.1.3 (Build 110719 nid 1)
f09b920bfb781142        Camfrog 4.0.47 / 5.5.0 / 6.1 (build 146) (JL
support)
ebd8c95d87f25154        Carrier 2.5.5
depends on location     Coccinella Messenger 0.96.20 (portable)
30d23723bdd5d908        Digsby (Build 30140) (JL support)
728008617bc3e34b        eM Client 3.0.10206.0
689319b6547cda85        emesene 2.11.7
454ef7dca3bb16b2        Exodus 0.10.0.0
cca6383a507bac64        Gadu-Gadu 10.5.2.13164
4278d3dc044fc88a        Gaim 1.5.0
777483d3cdac1727        Gajim 0.14.4
6aa18a60024620ae        GCN 2.9.1
3f2cd46691bbee90        GOIM 1.1.0
73c6a317412687c2        Google Talk 1.0.0.104
b0236d03c0627ac4        ICQ 5.1 / ICQLite Build 1068
a5db18f617e28a51        ICQ 6.5 (Build 2024)
2417caa1f2a881d4        ICQ 7.6 (Build 5617)
recognized VM           inSpeak 7.2.0.540
989d7545c2b2e7b2        IMVU 465.8.0.0
a3e0d98f5653b539        Instantbird 1.0 (20110623121653) (JL support)
bcc705f705d8132b        Instan-t 5.2 (Build 2824)
6059df4b02360af Kadu 0.10.0 / 0.6.5.5
c312e260e424ae76        Mail.Ru Agent 5.8 (JL support)
22cefa022402327d        Meca Messenger 5.3.0.52
depends on location     Mercury Messenger (portable)
86b804f7a28a3c17        Miranda IM 0.6.8 / 0.7.6 / 0.8.27 / 0.9.9 / 0.9.29
(ANSI + Unicode)
b868d9201b866d96        Microsoft Lync 4.0.7577.0
8c816c711d66a6b5        MSN Messenger 6.2.0137 / 7.0.0820
depends on location     MSNPSharp (portable)
2d1658d5dc3cbe2d        MySpaceIM 1.0.823.0 Beta
bf9ae1f46bd9c491        Nimbuzz 2.0.0 (rev 6266)
fb7ca8059b8f2123        ooVoo 3.0.7.21
efb08d4e11e21ece        Paltalk Messenger 10.0 (Build 409)
4f24a7b84a7de5a6        Palringo 2.6.3 (r45983)
e93dbdcede8623f2        Pandion 2.6.106
aedd2de3901a77f4        Pidgin 2.0.0 / 2.10.0 / 2.7.3
c5236fd5824c9545        PLAYXPERT 1.0.140.2822
dee18f19c7e3a2ec        PopNote 5.21
1a60b1067913516a        Psi 0.14
e0532b20aa26a0c9        QQ International 1.1 (2042)
3c0022d9de573095        QuteCom 2.2
93b18adf1d948fa3        qutIM 0.2
e0246018261a9ccc        qutIM 0.2.80.0
2aa756186e21b320        RealTimeQuery 3.2
521a29e5d22c13b4        Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 /
Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117
70b52cf73249257 Sococo 1.5.0.2274
d41746b133d17456        Tkabber 0.11.1
c8aa3eaee3d4343d        Trillian 0.74 / 3.1 / 4.2.0.25 / 5.0.0.35 (JL
support)
d7d647c92cd5d1e6        uTalk 2.6.4 r47692
36c36598b08891bf        Vovox 2.5.3.4250
884fd37e05659f3a        VZOchat 6.3.5
3461e4d1eb393c9c        WTW 0.8.18.2852 / 0.8.19.2940
f2cb1c38ab948f58        X-Chat 1.8.10 / 2.6.9 / 2.8.9
4e0ac37db19cba15        Xfire 1.138 (Build 44507)
da7e8de5b8273a0f        Yahoo Messenger 5.0.0.1226 / 6.0.0.1922
62dba7fb39bb0adc        Yahoo Messenger 7.5.0.647 / 8.1.0.421 / 9.0.0.2162 /
10.0.0.1270
fb230a9fe81e71a8        Yahoo Messenger 11.0.0.2014-us
b06a975b62567622        Windows Live Messenger 8.5.1235.0517 BETA
bd249197a6faeff2        Windows Live Messenger 2011

IRC
——————————————
b223c3ffbc0a7a42        Bersirc 2.2.14
c01d68e40226892b        ClicksAndWhistles 2.7.146
ac8920ed05001800        DMDirc 0.6.5 (Profile store:
C:\Users\$user\AppData\Roaming\DMDirc\)
d3530c5294441522        HydraIRC 0.3.165
8904a5fd2d98b546        IceChat 7.70 20101031
6b3a5ce7ad4af9e4        IceChat 9 RC2
fa496fe13dd62edf        KVIrc 3.4.2.1 / 4.0.4
65f7dd884b016ab2        LimeChat 2.39
19ccee0274976da8        mIRC 4.72 / 5.61
ae069d21df1c57df        mIRC 6.35 / 7.19
e30bbea3e1642660        Neebly 1.0.4
54c803dfc87b52ba        Nettalk 6.7.12
dd658a07478b46c2        PIRCH98 1.0.1.1190
depends on location     Quassel IRC 0.7.1 (portable)
6fee01bd55a634fe        Smuxi 0.8.0.0
2a5a615382a84729        X-Chat 2 2.8.6-2

Usenet
——————————————
ace8715529916d31        40tude Dialog 2.0.15.1 (Beta 38)
cc76755e0f925ce6        AllPicturez 1.2
36f6bc3efe1d99e0        Alt.Binz 0.25.0 (Build 27.09.2007)
d53b52fb65bde78c        Android Newsgroup Downloader 6.2
c845f3a6022d647c        Another File 2.03 (Build 2/7/2004)
780732558f827a42        AutoPix 5.3.3
baea31eacd87186b        BinaryBoy 1.97 (Build 55)
eab25958dbddbaa4        Binary News Reaper 2 (Beta 0.14.7.448)
bf483b423ebbd327        Binary Vortex 5.0
36801066f71b73c5        Binbot 2.0
13eb0e5d9a49eaef        Binjet 3.0.2
8172865a9d5185cb        Binreader 1.0 (Beta 1)
6224453d9701a612        BinTube 3.7.1.0 (requires VLC 10.5!)
cf6379a9a987366e        Digibin 1.31
43886ba3395acdcc        Easy Post 3.0
cfab0ec14b6f953         Express NewsPictures 2.41 (Build 08.05.07.0)
7526de4a8b5914d9        Forte Agent 6.00 (Build 32.1186)
c02baf50d02056fc        FotoVac 1.0
3ed70ef3495535f7        Gravity 3.0.4
86781fe8437db23e        Messenger Pro 2.66.6.3353
f920768fe275f7f4        Grabit 1.5.3 Beta (Build 909) / 1.6.2 (Build 940) /
1.7.2 Beta 4 (Build 997)
9f03ae476ad461fa        GroupsAloud 1.0
d0261ed6e16b200b        News File Grabber 4.6.0.4
8211531a7918b389        Newsbin Pro 6.00 (Build 1019) (JL support)
d1fc019238236806        Newsgroup Commander Pro 9.05
186b5ccada1d986b        NewsGrabber 3.0.36
4d72cfa1d0a67418        Newsgroup Image Collector
92f1d5db021cd876        NewsLeecher 4.0 / 5.0 Beta 6
d7666c416cba240c        NewsMan Pro 3.0.5.2
7b2b4f995b54387d        News Reactor 20100224.16
cb984e3bc7faf234        NewsRover 17.0 (Rev.0)
c98ab5ccf25dda79        NewsShark 2.0
dba909a61476ccec        NewsWolf 1.41
2b164f512891ae37        NewsWolf NSListGen
cb1d97aca3fb7e6b        Newz Crawler 1.9.0 (Build 4100)
3be7b307dfccb58f        NiouzeFire 0.8.7.0
de76415e0060ce13        Noworyta News Reader 2.9
cd40ead0b1eb15ab        NNTPGrab 0.6.2
d5c02fc7afbb3fd4        NNTPGrab 0.6.2 Server
a4def57ee99d77e9        Nomad News 1.43
3f97341a65bac63a        Ozum 6.07 (Build 6070)
bfe841f4d35c92b1        QuadSucker/News 5.0
web-based                       sabnzbd 0.6.8
d3c5cf21e86b28af        SeaMonkey 2.3.3
7a7c60efd66817a2        Spotnet 1.7.4
eb3300e672136bc7        Stream Reactor 1.0 Beta 9 (uses VLC!)
3168cc975b354a01        Slypheed 3.1.2 (Build 1120)
776beb1fcfc6dfa5        Thunderbird 1.0.6 (20050716) / 3.0.2
3d877ec11607fe4 Thunderbird 6.0.2
7192f2de78fd9e96        TIFNY 5.0.3
9dacebaa9ac8ca4e        TLNews Newsreader 2.2.0 (Build 2430)
7fd04185af357bd5        UltraLeeacher 1.7.0.2969 / 1.8 Beta (Build 3490)
aa11f575087b3bdc        Unzbin 2.6.8
pay only                                Usenet Explorer 3.3 (pay)
d7db75db9cdd7c5d        Xnews 5.04.25

System Cleaners
——————————————
ed7a5cc3cca8d52a        CCleaner 1.32.345 / 1.41.544 / 2.36.1233 / 3.10.1525
eb7e629258d326a1        WindowWasher 6.6.1.18

File Locations
- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations)

Research Links

Please check out the original blog post for which this information was gathered. It provides additional information and a nice layout for the AppIDs.
http://4n6k.blogspot.com/2011/09/jump-list-forensics-appids-part-1.html
http://4n6k.blogspot.com/2011/09/jump-list-forensics-appids-part-2.html

References

  1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson) – http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public
  2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty) – http://blogs.msdn.com/b/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx
  3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett) – http://www.alexbarnett.com/jumplistforensics.pdf
  4. Application User Model IDs (AppUserModelIDs) (by MSDN) – http://msdn.microsoft.com/en-us/library/dd378459(v=vs.85).aspx
  5. Developing for the Windows 7 Taskbar – Application ID (by Yochay Kiriaty) – http://windowsteamblog.com/windows/b/developers/archive/2009/06/18/developing-for-the-windows-7-taskbar-application-id.aspx
  6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty) – http://windowsteamblog.com/windows/b/developers/archive/2009/06/25/developing-for-the-windows-7-taskbar-jump-into-jump-lists-part-2.aspx
  7. ForensicsWiki List of Jump List IDs – http://www.forensicswiki.org/wiki/List_of_Jump_List_ID

 

NetworkList (Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
H. Carvey

Artifact Name
NetworkList

Artifact/Program Version
RegRipper w/ networklist.pl plugin v.20090812

Description
Vista and Windows 7 maintain a Registry key named
“NetworkList”:
HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList

This key appears to contain profiles regarding managed and
unmanaged networks, including wireless networks that the system has
connected to, including SSID, the date the profile was created, the
date last connected, the MAC address of the WAP, etc. This MAC can be
looked up in the SkyHook database, and possibly converted to a Google
Map.

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList (Updated 6/3- Thanks to Troy)

File Locations
Software Hive

Forensic Programs of Use
RegRipper w/ networklist.pl plugin

Evernote note storage

Posted by:  /  Tags: ,  /  Comments: 1

Author Name
Joseph W Shaw II

Artifact Name
Evernote note storage

Program Version
Evernote 4.3.1.4479

Description
Evernote is a tool used to capture, store, and share ideas and
information in the form of multimedia notes mixing text, images, pdfs,
and other document types into searchable “notes.” These notes are
stored in an SQLite database format. Records are appended to the end
of the database. As records are deleted, they are overwritten by new
records. However, data records can be retained inside of the database
when the SQLIite database is viewed in Text or Hex view.

File Locations
On Windows 7: C:\Users\\AppData\Local\Evernote\Evernote\Database\.exb

Forensic Programs of Use
SQLite Database Browser
EnCase 6.18.1.3 64bit

Old Record Search Hit

Volume Shadow Copies

Posted by:  /  Tags: , , , ,  /  Comments: 3

Author Name
BryanTheSnail

Artifact Name
Volume Shadow Copies

Artifact/Program Version
Windows 7

Description
This method allows Encase users to explore the contents of Volume
Shadow Copies. As yet I have only tested this on a Windows 7×64
machine, I can not say how effective it will be on other systems.

Most of this method originates from the paper on the antiforensics.net
website from the attached link. (This was a repost of Harlan’s entry on the Windows IR Blog. See updated link in the “Research Links”)

1. Use the Enscript from Lance Mueller to make a ‘dd’ image of your
drive.
2. Use the VHDTool to create a Virtual Drive from your dd image.
3. Open Disk Management (Click Start enter diskmgmt.msc into the
search field )
4. Mount your VHD as a Virtual Disk selecting “Read Only”

5. This step needs more testing and unfortunately I do not have the
time to do it. If you try to use Shadow Explorer at this stage it will
be unable to see the Virtual Disk. There may be a command
line/registry hack which will enable this but I have not yet explored
this option. The solution I did find was to reboot the machine. Once
rebooted Shadow Explorer can quite happily access the Volume Shadow
Copies and allows you to export any relevant files. There is no search
option unfortunately.

Registry Keys
Various

File Locations
System Restore

Research Links

http://windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html

http://www.forensickb.com/2007/07/export-encase-evidence-file-to-dd.html

http://archive.msdn.microsoft.com/vhdtool

http://www.shadowexplorer.com/

Forensic Programs of Use
Encase
VHDTool
Shadow Explorer

5/27/11- Changed the link for the AntiForensics.net reference in this post with the link to the original Windows IR Blog post by Harlan Carvey.

Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70