DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • Two types:
  • Common locations:
  • Forensic Significance
  • Forensic Value of Jump Lists
  • Tools for Investigation

Jump List Forensics

jump Lists are Windows artifacts that track recently or frequently accessed files and applications

Two types:

  1. Automatic: Generated by Windows for supported apps (e.g., Notepad, MS Word).

  2. Custom: Created by applications to define recent/frequent items.

Common locations:

  • Automatic: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\

  • Custom: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\

Forensic Significance

  • Provide a timeline of file and application usage.

  • Contain metadata such as:

    • Application name.

    • File access timestamps.

    • File paths (local and remote)

Forensic Value of Jump Lists

  • Check Tasks: Details about tasks performed by the application.

  • Links to Recent Files: Access to files that were recently opened by the application.

  • Frequently Used Files: Insight into files that are accessed frequently.

  • Links to Pinned Files: Information about files that the user has pinned for easy access.

  • Help in Building a Timeline: Data that helps reconstruct the sequence of user actions and activities.

Tools for Investigation

  • JumpList Explorer: Specialized tool for parsing Jump Lists.

  • Eric Zimmerman's JLECmd: Command-line tool to parse both automatic and custom Jump Lists.

  • Autopsy or FTK Imager: For acquiring and viewing Jump Lists

Here I used JumpList Explorer and look what i got

PreviousLNK Files (Shortcut Files) ForensicsNextPrefetch Files Forensics

Last updated 5 months ago