Jump List AppId lookup via Python

While I was reviewing the SANS Artifacts poster and decided why not try and write a python script to do something simple with them.

While looking at the AutomaticDestination directory I realized I had no idea what those numbers actually meant. I also figured that it was too time consuming to go online each time I wanted to know what they are. That's when I got the idea to write a python script that would query the directory and then go online and report back what the numbers related to based off of the information provided on forensicswiki.

Jump List Lookup - jl_lookup.py

You can download it on my GitHub

Here is a quick screen shot of my AutomaticDestinations directory.

Silvrback blog image

Here is the output after running "help": It's pretty simple. You just have to run the command and set the -p or --path to whatever you want.

Silvrback blog image

Here is one way you can run it:

In this picture I had opened cmd.exe using my admin account, which is why you're not seeing too much here.

Silvrback blog image

Here is another way:

Silvrback blog image

I decided to mount a drive on SIFT and test it out. It seems to work. This was a HDD image of a machine I was using for malware testing.

Silvrback blog image

So yeah, there you have it. It was a great learning exercise. Like I mentioned above, you might not get much use out of it, but maybe you can reuse some of the code for something else. It wasn't my intention to create something wonderful. I'm simply using forensics to keep me motivated to learn python. This was just something I randomly thought about doing. I learned a lot too.

You can download it on my GitHub