Hello trid users,
some days ago i run Sequoia on my disks to find files not known by
that program. I found many file with name extension
"automaticdestinations-ms". When i run TrID on these examples some are
not identified by automaticDestinations-ms.trid.xml as "Windows 7 Jump
List" ( See appended output/trid-old.txt)
So i run tridscan to refine the trid definition file. What has
changed? The UTF string DestList appear also at other offset than
1280. So the corresponding XML construct vanish:
<Bytes>44006500730074004C006900730074</Bytes>
<ASCII> D . e . s . t . L . i . s . t</ASCII>
<Pos>1280</Pos>
When i run the file command with -i option it reports
"application/CDFV2" for mime type ( See appended
output/file-i.txt). So express this now by additional line:
<Mime>application/CDFV2</Mime>
As reference URL a sub page from Microsoft's Windows 7 was used. But
Microsoft say good by to Windows 7. So the used link now redirect to a
page with a request to upgrade to Windows 10. So i look for another
one. Unfortunately there seems to do not exist an official page about
jump list on Microsoft web servers. So I look for another reliable
reference. So i finally used this one:
<RefURL>
https://www.forensicswiki.org/wiki/Jump_Lists</RefURL>
With new trid definition all inspected Windows Jump list are now
recognized (see appended output/trid-new.txt). TrID definition and
output are stored in archive automaticDestinations-ms.zip. I hope that
the XML file can be used in future version of triddefs
With best wishes
J?rg Jenderek
