Daily Blog #213: Let's Talk about MTP Part 5

Let's Talk about MTP Part 5 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
         Yesterday we went through the temporary directory that stores files accessed from MTP devices.In our first post in the series we talked about the ability to recover MTP accesses from shellabgs, and if you read Nicole's post you'll see about her ability to recover files accessed from the WPDNSE directory. In my testing, using different applications than Nicole, I could not get a LNK file to be created from any of the following file types:
  • docx - MS Word 2010 
  • png - Microsoft Media Viewer
  • pl - Activestate Komodo
  • txt - Notepad
I even checked the office recent documents folder and found no LNK files that pointed to these files, those directories or the MTP device.

I did find an entry in the Windows Explorer Pinned and Recent Jumplist AppID 1b4dd67f29cb1962 looking each jumplist with a hex editor. What was interesting is how different Jumplist parsers handled this entry. I tested this jumplist with two different jumplist parsers.

Tzworks jmp v.25 64 bit did not show the entry
Woanware jumplister provided the following in the 'destlist' entry but could not parse out the entry.
1/23/2014 2:44
1/1/0001 12:00:00 AM 1/1/0001 12:00:00 AM ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\\?\usb#vid_19d2&pid_0307#p752a15#{6ac27878-a6fa-4155-ba85-f98f491d4f33}\SID-{10001,,2410917888}\{00000025-0001-0001-0000-000000000000}

 This is very interesting as the raw hex showed the following providing a translation of the folder GUID to the name of the folder on the MTP device itself.

Here you can see the folder name 'Test' (yes I'm very original in my directory naming) and the folder GUID found in the WPDNSE directory '00000025-0001-0001-0000-000000000000'. This is similar to the shell bags entry Nicole found and TzWorks not successfully parses in v.36 of Sbags.

[1] New Folder; [2] {00000025-0001-0001-0000-000000000000}; [3] Name : New Folder; [4] ObjId : o25; [5] FuncObjId : s10001; [6] UniqueId : {00000025-0001-0001-0000-000000000000}
 It looks like we need to get out jumplist parsing tools to also support the MTP structures that other tools have had to do.

Tomorrow let's talk about what the USN Journal shows us.

Also Read: 

Post a Comment