臺灣博碩士論文加值系統

摘要
本研究是為Windows 10使用者開發一個使用行為監控系統。JumpListM監控器是第一個應用跳轉列表(Jump Lists)的記錄來監控電腦使用行為的監控系統。它是依據跳轉列表而進行回應，該列表保有最近存取檔案和目錄、及按照應用軟體而分類的跳轉列表。由於跳轉列表中包含大量記錄，因此本文將記錄這些資料以監控使用行為，並呈現可視覺化的結果。
自從跳轉列表在Windows 7中首次亮相以來，其結構已經在各數位鑑識界得到廣泛的討論。雖然Windows 7和8已有相關成功解析的工具，但在Windows 10中，以上工具均無法正常運作，原因是Windows 10跳轉列表結構已改版，因此，設計Windows 10跳轉列表的分析工具是一項挑戰。
最後，本文 JumpListＭ 跳轉列表監控器是由 Python 3.5 作為GUI工具的實現，它可監控各類型的應用軟體及使用者各別在電腦上執行每個應用軟體的時間。所以，依據這些資訊，使用者的行為可以被監控，以符合企業組織資訊安全管理規範。
關鍵詞：跳轉列表、數位鑑識、Windows 10、監控工具。

Abstract
This thesis is to develop a behavior monitor system for the users of Windows 10. The monitor system, named JumpListM monitor, is the first one which applies the records of the Jump Lists to monitor the behavior of computer users. The system is replying on the Jump Lists which keep the records of recently accessed files and directories as well as group them as per application basis. Owing to the Jump Lists including a lot of records, in this thesis, the records will be rendered to monitor the behavior and display the results of visualization.
Jump Lists have drawn much attention in the field of digital forensics since they were firstly introduced in the release of Windows 7. Although there have been many tools developed for running in Windows 7 and 8 for the analysis of Jump Lists, those cannot be run in Windows 10. The reason is that Jump Lists of Windows 10 are different from those of the previous version of Windows. Therefore, it is a challenge to design an analysis tool of Windows 10 Jump Lists.
The JumpListM monitor is implemented as a GUI tool by Python 3.5. It can monitor what kinds of software and what time a user respectively run every software in a computer. According to the information, Users’ behavior can be monitored.
Key Words: Jump Lists、Digital Forensics、Windows 10、Monitor tool。

目錄
誌謝 ii
摘要 iii
目錄 vi
表目錄 viii
圖目錄 ix
1. 緒論 1
1.1. 研究動機 1
1.2. 研究目的 2
2. 文獻探討 3
2.1. 跳轉列表(Jump Lists)結構 5
2.2. 最新監控軟體概況 15
3. 研究方法 19
3.1. 監控系統JumpListＭ（跳轉列表監控器）系統架構 23
3.2. 使用者應用程式APP查詢設計 26
3.3. 視覺化監控異常使用查詢設計 27
4. 系統實驗測試與行為分析比較 28
4.1. 實驗一：新增檔案 30
4.2. 實驗二：開啟、修改、儲存、關閉檔案 34
4.3. 實驗三：複製檔案（僅作複製copy、貼上past後續無開檔） 37
4.4. 實驗四：移動Volume檔案 39
4.5. 實驗五：重新命名rename檔案 43
4.6. 實驗六：刪除檔案 46
4.7. 系統測試結果 47
4.8. JumpListsM 監控結果與其他監控軟體比較 49
5. 結論與未來研究方向 55
5.1. 結論 55
5.2. 未來研究方向 55
參考文獻 57

表目錄
表2.1 應用程式及Windows 10中的AppID 5
表2.2 Windows 10的DestList entry結構表[1] 13
表3.1 Windows 10的DestList entry欄位說明表 20
表3.2 Windows 10的LNK欄位說明表 21
表4.1實驗word使用行為與jumplists結果變化表 47
表4.2 JumpListsM 使用APP時間順序表 50
表4.3 常見員工監控系統比較表 54

圖目錄
圖2.1 automatic檔案示意圖 4
圖2.2 Location of automaticDestinations-ms files in Windows 10.[1] 4
圖2.3 DestList header structure in Windows 10.[1] 6
圖2.4 DestList header structure in Windows 10.[1][11] 7
圖2.5 DestList Entry structure in Windows 10.[1] 8
圖2.6 DestList Entry structure in Windows 10. [1][4][11]。 8
圖2.7 使用者鎖定（pins）固定記事本一檔案項目 10
圖3.1 LNK資料流解析欄位名稱 20
圖3.2 DestList資料流解析欄位名稱 21
圖3.3 執行Monitor功能 22
圖3.4 Monitor parser結果 22
圖3.5 JumpListM tool schematic diagram 23
圖3.6 Information Center diagram 25
圖3.7 跳轉列表中Windows Explorer、Quick Access等APP 26
圖4.1 Wing Personal 6.0開發使用介面 28
圖4.2 跳轉列表解析結果圖 29
圖4.3 實驗新增Microsoft word文件 30
圖4.4 實驗新增nana-M-ins檔案名稱 31
圖4.5 實驗新增檔案-JumpListM-Monitor功能 31
圖4.6 實驗新增檔案JumpListM解析結果 31
圖4.7 實驗新增檔案JumpListM解析結果 32
圖4.8 實驗一新增檔案JumpListM解析結果 33
圖4.9 實驗二編輯nana-M-ins Word檔案內容 35
圖4.10 實驗二開啟、修改、儲存、關閉檔案 36
圖4.11 實驗三複製貼上檔案 38
圖4.12 實驗三複製貼上檔案-後續無開檔 38
圖4.13 實驗四移動檔案-操作模式A剪下貼上 39
圖4.14 實驗四移動檔案-操作模式A剪下貼上-新路徑 39
圖4.15 實驗四移動檔案-A-跳轉列表 40
圖4.16 實驗四移動檔案-操作模式B拖曳檔案至usb行動硬碟 41
圖4.17 實驗四移動檔案-操作模式B拖曳檔案入usb行動硬碟D:\路徑下 41
圖4.18 實驗四移動檔案-B-跳轉列表01 42
圖4.19 實驗四移動檔案-B-跳轉列表02 42
圖4.20 實驗四移動檔案-B-跳轉列表03 43
圖4.21 實驗五重新命名rename檔案 44
圖4.22 實驗五重新命名rename檔案-開啟檔案 44
圖4.23 實驗五重新命名rename檔案-JumpListM解析 45
圖4.24 實驗六刪除檔案 46
圖4.25 實驗六刪除檔案-JumpListM解析 46
圖4.26 JumpListsM 監控結果視覺化示意圖 52

參考文獻
[1]Bhupendra Singh, Upasna Singh , "A forensic insight into Windows 10 Jump Lists" Digital Investigation, Vol.17, pp. 1-13, 2016.
[2]http://www.forensicswiki.org/wiki/Jump_Lists [accessed 18.May.2018].
[3]Larson T. Forensic examination of windows 7 jump lists. 2011. http://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public [accessed 18.May.2018].
[4]Lyness R. Forensic analysis of windows 7 jump lists. 2012. http://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/ [accessed 18.May.2018].
[5]http://forensicswiki.org/wiki/OLE_Compound_File [accessed 18.May.2018].
[6]MSDN. [ms-cfb]: compound file binary file format. 2018. https://msdn.microsoft.com/en-us/library/dd942138.aspx [accessed 18. May.2018].
[7]MSDN. [ms-shllink]: shell link (.lnk) binary file format. 2017. https://msdn.microsoft.com/enus/library/dd871305.aspx [accessed 18. May.2018].
[8]NirSoft. Jumplistsview. 2018. http://www.nirsoft.net/utils/jump_lists_view.html [accessed 18.May.2018].
[9]Parsonage H. The meaning of linkfiles in forensic examinations 2010 http://computerforensics.parsonage.co.uk/linkfiles/linkfiles.htm [accessed 18.May.2018].
[10]Ghafarian, Ahmad, "Investigating Forensics Values of Windows Jump Lists Data" (2015). Annual ADFSL Conference on Digital Forensics, Security and Law. 3.
[11]Lallie, Harjinder S. and Bains, Parmjit S. , "An Overview of the Jumplist Configuration File in Windows 7" Journal of Digital Forensics, Security and Law, Vol. 7, No. 1, Article 2, 2012.
[12]MiTec. Structured storage viewer. 2010. http://www.mitec.cz/ssv.html[accessed 18.May.2018].
[13]TZWorks. Windows jump list parser (jmp). https://tzworks.net/prototype_page.php?proto_id=20;%202013 [accessed 18.May.2018].
[14]Woan M. Jumplister. 2013. http://www.woanware.co.uk/forensics/jumplister.html [accessed 18.May.2018].
[15]Chris Antonovich, "Jump List Forensics" LCDI Report,Burlington, VT, U.S.A, pp. l-18, 2014.
[16]Eric Zimmerman 2016, Jump lists in depth (includes changes from Windows 10), https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html [accessed 18.May.2018].
[17]Harlan 2011 http://windowsir.blogspot.com/2011/12/jump-list-analysis.html [accessed 18.May.2018].
[18]Bhupendra Singh, Upasna Singh , "A forensic insight into Windows 10 Cortana search" Computers & Security, Vol.66, pp. 142-154, 2017.
[19]Gavin R.2016 https://blogs.windows.com/windowsexperience/2016/04/28/ Delivering personalized search experiences in Windows 10 through Cortana.[accessed 18.May 2018].
[20]https://www.fonemonitor.com/phone-monitor/top-open-source-employee-monitoring-software.html[accessed 18.May 2018].
[21]Albert J. Marcella, Jr., Frederic Guillossou, Cyber Forensics: From Data to Digital Evidence , New Jersey, John Wiley & Sons, pp. 241-245, 2012.
[22]https://www.spyzie.com/employee-tracking/top-open-source-employee-monitoring-software.html [accessed 18.May 2018].
[23]https://activtrak.com/[accessed 18.May 2018].
[24]https://www.teramind.co/[accessed 18.May 2018].
[25]https://www.vericlock.com/[accessed 18.May 2018].
[26]https://interguardsoftware.com/[accessed 18.May 2018].
[27]https://www.qustodio.com/en/[accessed 18.May 2018].
[28]https://www.veriato.com/[accessed 18.May 2018].
[29]https://www.timedoctor.com/[accessed 18.May 2018].
[30]https://www.fonemonitor.com/[accessed 18.May 2018].
[31]https://sonigasoftware.com/[accessed 18.May 2018].
[32]https://www.ckzinc.com/[accessed 18.May 2018].
[33]https://www.isafesoft.com/[accessed 18.May 2018].
[34]https://www.screenshotmonitor.com/[accessed 18.May 2018].
[35]https://clockit.io[accessed 18.May 2018].