Jump List Forensics

jump Lists are Windows artifacts that track recently or frequently accessed files and applications

Two types:

  1. Automatic: Generated by Windows for supported apps (e.g., Notepad, MS Word).

  2. Custom: Created by applications to define recent/frequent items.

Common locations:

  • Automatic: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\

  • Custom: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\

Forensic Significance

  • Provide a timeline of file and application usage.

  • Contain metadata such as:

    • Application name.

    • File access timestamps.

    • File paths (local and remote)

Forensic Value of Jump Lists

  • Check Tasks: Details about tasks performed by the application.

  • Links to Recent Files: Access to files that were recently opened by the application.

  • Frequently Used Files: Insight into files that are accessed frequently.

  • Links to Pinned Files: Information about files that the user has pinned for easy access.

  • Help in Building a Timeline: Data that helps reconstruct the sequence of user actions and activities.

Tools for Investigation

  • JumpList Explorer: Specialized tool for parsing Jump Lists.

  • Eric Zimmerman's JLECmd: Command-line tool to parse both automatic and custom Jump Lists.

  • Autopsy or FTK Imager: For acquiring and viewing Jump Lists

Here I used JumpList Explorer and look what i got

PreviousLNK Files (Shortcut Files) ForensicsNextPrefetch Files Forensics

Last updated