> For the complete documentation index, see [llms.txt](https://mahmoud-shaker.gitbook.io/dfir-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mahmoud-shaker.gitbook.io/dfir-notes/jump-list-forensics.md).

# Jump List Forensics

### **Two types:**

1. **Automatic**: Generated by Windows for supported apps (e.g., Notepad, MS Word).
2. **Custom**: Created by applications to define recent/frequent items.

### **Common locations:**

* **Automatic**: `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\`
* **Custom**: `%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\`

### **Forensic Significance**

* Provide a timeline of file and application usage.
* Contain metadata such as:
  * Application name.
  * File access timestamps.
  * File paths (local and remote)

### **Forensic Value of Jump Lists**

* **Check Tasks:** Details about tasks performed by the application.
* **Links to Recent Files:** Access to files that were recently opened by the application.
* **Frequently Used Files:** Insight into files that are accessed frequently.
* **Links to Pinned Files:** Information about files that the user has pinned for easy access.
* **Help in Building a Timeline:** Data that helps reconstruct the sequence of user actions and activities.

### **Tools for Investigation**

* **JumpList Explorer**: Specialized tool for parsing Jump Lists.
* **Eric Zimmerman's JLECmd**: Command-line tool to parse both automatic and custom Jump Lists.
* **Autopsy or FTK Imager**: For acquiring and viewing Jump Lists

Here I used **JumpList Explorer** and look what i got&#x20;

<figure><img src="/files/27YtxQXtzRfrRZiHjEqu" alt=""><figcaption></figcaption></figure>
