velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

OLE Plugin

Open randomaccess3 opened this issue 1 year ago • 4 comments

Would be great to have an OLE plugin to use to parse Jumplists and other OLE containers directly.

This is probably already here somewhere because there's the olevba plugin, would just allow us to parse the file structure directly.

randomaccess3 avatar Aug 18 '23 03:08 randomaccess3

I'd like to support this idea too, as much as we can query the data from a VR > KAPE > PLASO > Timesketch workflow it would be great to do this at scale live just as we can do with Shellbags

mtreanor-r7 avatar Aug 18 '23 04:08 mtreanor-r7

I'm actually pretty sure we can do this right now with the Shellbag parser. The jumplist files appear to just contain shellbags so we can just parse those out in vql

scudette avatar Aug 18 '23 05:08 scudette

You open the automaticdestination file as an OLE Container, find the Destlist, parse each record in the destlist, and lookup the requisite LNK file in the OLE container. So you need to write a destlist parser, and then combine that with your LNK file parser.

Wouldn't want to brute force this when there's a completely valid way of doing it by parsing the structures properly.

randomaccess3 avatar Aug 18 '23 05:08 randomaccess3

definition and example: https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html

mgreen27 avatar Aug 18 '23 05:08 mgreen27

This is now implemented in 0.72.4 https://docs.velociraptor.app/artifact_references/pages/windows.forensics.jumplists/

scudette avatar Jul 15 '24 07:07 scudette