OLE Plugin

[randomaccess3]

Would be great to have an OLE plugin to use to parse Jumplists and other OLE containers directly.

This is probably already here somewhere because there's the olevba plugin, would just allow us to parse the file structure directly.

[mtreanor-r7]

I'd like to support this idea too, as much as we can query the data from a VR > KAPE > PLASO > Timesketch workflow it would be great to do this at scale live just as we can do with Shellbags

[scudette]

I'm actually pretty sure we can do this right now with the Shellbag parser. The jumplist files appear to just contain shellbags so we can just parse those out in vql

[randomaccess3]

You open the automaticdestination file as an OLE Container, find the Destlist, parse each record in the destlist, and lookup the requisite LNK file in the OLE container. So you need to write a destlist parser, and then combine that with your LNK file parser.

Wouldn't want to brute force this when there's a completely valid way of doing it by parsing the structures properly.

[mgreen27]

definition and example: https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html

[scudette]

This is now implemented in 0.72.4 https://docs.velociraptor.app/artifact_references/pages/windows.forensics.jumplists/