Posted: Thu Dec 31, 2015 5:48 am Post subject: Jump List Data
First question, so hello to everyone!
I have a question re jump list data. I am looking for whether a file has been viewed on a computer and intend to look at the jump lists. The prosecution are alleging there is a deleted jump list record which has the target file name.
Firstly, are deleted jump list records recoverable?
Secondly, for videos, would a timestamp be available?
Thirdly, in the case of a video, would a jumplist record prove that it was actually viewed? Is it possible the jump list record could have been created by another app or automatic process? I am thinking anti virus, movement to the recycle bin or anything else.
If not, I presume that it could only prove that the item was at some stage opened by an application and of course isn't conclusive evidence that a video had actually been viewed.
There is a lot of information available about Jump Lists, including this research paper: "http://www.champlain.edu/Documents/LCDI/Jump%20List%20Forensics.pdf" and a good article by Harlan Carvey "http://windowsir.blogspot.com/2011/12/jump-list-analysis.html". (There are plenty more, just DuckDuckGo, Google, or Bing, or whatever)
Perhaps those will help you understand what a Jump List indicates. (Pointing that out in an effort to correct your perception that a Jump List shows that something has been viewed rather than opened. How can you say something was viewed without an eyewitness? It is critical for even novice forensic examiners to use the precise (and correct) terminology.)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum