File Access Analysis via Jumplists

Unlocking the Power of Jumplists in Windows Forensics

we delve into Jumplists, a vital Windows artifact that sheds light on user activities such as recently accessed files, associated applications, and precise timestamps. This is particularly significant in USB forensics, as Jumplists can reveal files accessed from external drives—even if those drives are no longer connected.

What Are Jumplists?

Introduced in Windows 7 and continuing through to Windows 11, Jumplists are designed to give users quick access to:

  • Recently accessed files

  • Common application tasks

Jumplists retain records even after the original files or applications are deleted, making them an invaluable source of evidence in forensic investigations.

Types of Jumplists

1. Automatic Destinations

Automatically stores information about recently accessed files.

Location: C:\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

2. Custom Destinations

Stores recent files or custom tasks specifically defined by the application.

Location: C:\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Analyzing Jumplists with JumpList Explorer

To analyze Jumplists, we will use JumpList Explorer by Eric Zimmerman—a powerful tool designed for parsing and analyzing Jumplist data. You can download it here.

Steps for Analysis:

  1. Open JumpList Explorer Run the tool as Administrator.

  2. Load Automatic Destination Files

    • Navigate to the AutomaticDestinations folder.

    • Select the Jumplist files and click Open.

  3. Load Custom Destination Files

    • Repeat the process for CustomDestinations.

    • Note: Some files may be empty; this is expected behavior.

  4. Explore Loaded Jumplists

    • The tool will display a list of applications with corresponding Jumplist files.

    • Select an application (e.g., Notepad) to view files accessed through it.

USB Analysis

In this investigation, Drive E: was identified as a USB device. Using Notepad's Jumplist, we uncovered a critical file:

File: Dumped_Passwords.txt Path: E:\Secret_Project_LD\Dumped_Passwords.txt

Key Insights:

  • File Path: The file was accessed from E:\Secret_Project_LD.

  • Timestamp: The exact date and time of access are recorded.

Detailed View:

By selecting the file entry in JumpList Explorer, we can extract critical details:

  • Local Path: Full file path.

  • Timestamp: Accessed date and time.

Key Points

Jumplists offer a treasure trove of forensic evidence, allowing analysts to:

  • Reconstruct user activities.

  • Identify accessed files, including those from external devices.

  • Establish detailed timelines of file access.

PreviousFolder Access Analysis via ShellbagsNextAutomated USB Parsers Tools

Last updated