# Jump List Forensics

### **Two types:**

1. **Automatic**: Generated by Windows for supported apps (e.g., Notepad, MS Word).
2. **Custom**: Created by applications to define recent/frequent items.

### **Common locations:**

* **Automatic**: `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\`
* **Custom**: `%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\`

### **Forensic Significance**

* Provide a timeline of file and application usage.
* Contain metadata such as:
  * Application name.
  * File access timestamps.
  * File paths (local and remote)

### **Forensic Value of Jump Lists**

* **Check Tasks:** Details about tasks performed by the application.
* **Links to Recent Files:** Access to files that were recently opened by the application.
* **Frequently Used Files:** Insight into files that are accessed frequently.
* **Links to Pinned Files:** Information about files that the user has pinned for easy access.
* **Help in Building a Timeline:** Data that helps reconstruct the sequence of user actions and activities.

### **Tools for Investigation**

* **JumpList Explorer**: Specialized tool for parsing Jump Lists.
* **Eric Zimmerman's JLECmd**: Command-line tool to parse both automatic and custom Jump Lists.
* **Autopsy or FTK Imager**: For acquiring and viewing Jump Lists

Here I used **JumpList Explorer** and look what i got&#x20;

<figure><img src="/files/27YtxQXtzRfrRZiHjEqu" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/jump-list-forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.