dissect.target.plugins.os.windows.jumplist

Module Contents

Classes

JumpListFile

AutomaticDestinationFile

Parse Jump List AutomaticDestination file.

CustomDestinationFile

Parse Jump List CustomDestination file.

JumpListPlugin

Jump List is a Windows feature introduced in Windows 7.

Attributes

dissect.target.plugins.os.windows.jumplist.log
dissect.target.plugins.os.windows.jumplist.LNK_GUID = b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00F'
dissect.target.plugins.os.windows.jumplist.JumpListRecord
dissect.target.plugins.os.windows.jumplist.custom_destination_def = Multiline-String
Show Value
"""
struct header {
    int version;
    int unknown1;
    int unknown2;
    int value_type;
}

struct header_end {
    int number_of_entries;
}

struct header_end_0 {
    uint16  name_length;
    wchar   name[name_length];
    int     number_of_entries;
}

struct footer {
    char magic[4];
}
"""
dissect.target.plugins.os.windows.jumplist.c_custom_destination
class dissect.target.plugins.os.windows.jumplist.JumpListFile(fh: BinaryIO, file_name: str)
fh
file_name
application_type
application_name
abstract __iter__() Iterator[dissect.shellitem.lnk.Lnk]
property name: str

Return the name of the application.

property id: str

Return the application identifier.

property type: str

Return the type of the Jump List file.

class dissect.target.plugins.os.windows.jumplist.AutomaticDestinationFile(fh: BinaryIO, file_name: str)

Bases: JumpListFile

Parse Jump List AutomaticDestination file.

ole
__iter__() Iterator[dissect.shellitem.lnk.Lnk]
class dissect.target.plugins.os.windows.jumplist.CustomDestinationFile(fh: BinaryIO, file_name: str)

Bases: JumpListFile

Parse Jump List CustomDestination file.

VERSIONS = [2]
footer
magic
header
version
__iter__() Iterator[dissect.shellitem.lnk.Lnk]
class dissect.target.plugins.os.windows.jumplist.JumpListPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Jump List is a Windows feature introduced in Windows 7.

It stores information about recently accessed applications and files.

References

__namespace__ = 'jumplist'

Defines the plugin namespace.

automatic_destinations = []
custom_destinations = []
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

custom_destination() Iterator[JumpListRecord]

Return the content of CustomDestination Windows Jump Lists.

These are created when a user pins an application or a file in a Jump List.

Yields JumpListRecord with fields:

type (string): Type of Jump List.
application_id (string): ID of the application.
application_name (string): Name of the application.
lnk_path (path): Path of the link (.lnk) file.
lnk_name (string): Name of the link (.lnk) file.
lnk_mtime (datetime): Modification time of the link (.lnk) file.
lnk_atime (datetime): Access time of the link (.lnk) file.
lnk_ctime (datetime): Creation time of the link (.lnk) file.
lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
lnk_arguments (string): Command-line arguments passed to the target (linked) file.
local_base_path (string): Absolute path of the target (linked) file.
common_path_suffix (string): Suffix of the local_base_path.
lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
lnk_net_name (string): Specifies a server share path; for example, "\\server\share".
lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
target_mtime (datetime): Modification time of the target (linked) file.
target_atime (datetime): Access time of the target (linked) file.
target_ctime (datetime): Creation time of the target (linked) file.
automatic_destination() Iterator[JumpListRecord]

Return the content of AutomaticDestination Windows Jump Lists.

These are created automatically when a user opens an application or file.

Yields JumpListRecord with fields:

type (string): Type of Jump List.
application_id (string): ID of the application.
application_name (string): Name of the application.
lnk_path (path): Path of the link (.lnk) file.
lnk_name (string): Name of the link (.lnk) file.
lnk_mtime (datetime): Modification time of the link (.lnk) file.
lnk_atime (datetime): Access time of the link (.lnk) file.
lnk_ctime (datetime): Creation time of the link (.lnk) file.
lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
lnk_arguments (string): Command-line arguments passed to the target (linked) file.
local_base_path (string): Absolute path of the target (linked) file.
common_path_suffix (string): Suffix of the local_base_path.
lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
lnk_net_name (string): Specifies a server share path; for example, "\\server\share".
lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
target_mtime (datetime): Modification time of the target (linked) file.
target_atime (datetime): Access time of the target (linked) file.
target_ctime (datetime): Creation time of the target (linked) file.