Wednesday, July 18, 2018

Daily Blog #426: Directory Copy and Paste Artifacts in Windows 10

Hello Reader,
              I've talked about this in the Forensic Lunch and I think showed it once in a Test Kitchen but I don't think I've written about it in the blog. After reading the ongoing discussion on Twitter about the need to document beyond tweets and videos, you should read Brett Shavers post here , led me to understand that I need to put it in the blog as well to make it more accessible long term. In my mind I've already shown and shared this but I can't expect that everyone has watched and memorized the 100+ episodes of the Forensic Lunch.

So new as of at least Windows 10 (this needs to be tested on Windows 7 and Windows 8) there is a now a jumplist that is capturing the full path of every directory that is copy and pasted. For those of you doing external device investigations that means we have a data source that will show us what data our suspects have been copying and pasting onto external drives ... but only if what they are copying and pasting is a directory. Individual files being copy and pasted does not appear to be tracked, just directories.

You will want to look into the Jumplist with Appid f01b4d95cf55d32a and within it you find an entry for every directory that has been pasted. You will not get the source location but rather the destination which in my mind is more useful. The MRU date associated and the creation time of the directory will show you when as well.