Jumplists

Introduction

Jump Lists are critical artifacts in digital forensics, offering a detailed log of recently accessed files, applications, and URLs. Their resilience—remaining on the system even after source files or applications are deleted—makes them indispensable for reconstructing user activity.

Types of Jump Lists

1. Automatic Destinations

  1. Location: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

  2. Creation: Automatically generated when users open files or applications.

  3. Format: Stored in Compound File Binary (CFB) format, containing:

    • SHLLINK streams: Individual file links.

    • DestList stream: Metadata like timestamps and usage counts.

2. Custom Destinations

  1. Location: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

  2. Creation: Generated when users pin files or applications to the Taskbar or Start Menu.

  3. Format: Stored in MS-SHLLINK binary format.

Key Forensic Insights from Jump Lists

Jump Lists provide a wealth of forensic data, including:

  1. Recently Accessed Files:

    • Full file paths.

    • Access counts.

    • Last accessed timestamps.

  2. Application Usage:

    • Logs usage of programs like Notepad and Microsoft Word.

  3. Folder Access:

    • Tracks folders accessed via File Explorer.

  4. URLs:

    • Records frequently accessed or pinned URLs.

  5. File Metadata:

    • Captures creation and modification times, aiding in the timeline construction of user interactions.

JumpList Explorer

JumpList Explorer, developed by Eric Zimmerman, simplifies the analysis of Jump Lists with a user-friendly interface.

Steps for Jump List Analysis

1. Acquisition of Jump Lists

Use forensic tools like KAPE to acquire Jump List files from the target system.

2. Loading Files into JumpList Explorer

  • Open JumpList Explorer.

  • Load Automatic Destinations and Custom Destinations files.

3. Example: Analyzing Notepad Activity

  • Navigate to the Notepad Jump List.

  • Extract key details:

    • File Path: Full path of files accessed through Notepad.

    • Access Count: Number of times the file was opened.

    • Timestamps:

      • Last Access Time.

      • File Creation Time.

Use Cases of Jump Lists

  1. File and Folder Access:

    • File Explorer Jump Lists provide insights into folder interactions, akin to Shellbags.

  2. Document Usage:

    • For word processing apps, Jump Lists track:

      • Document names.

      • Access timestamps.

      • Usage frequency.

  3. Web Activity:

    • Browser Jump Lists reveal:

      • Frequently accessed URLs.

      • Pinned websites.

Jump Lists are a powerful forensic resource for investigating user activity on Windows systems. They offer detailed evidence of file, application, and folder usage, enabling analysts to construct a comprehensive timeline of events. By leveraging tools like JumpList Explorer, forensic experts can efficiently extract and interpret data, yielding actionable insights for their investigations.

PreviousSRUM DatabaseNextRecycle Bin Artifacts

Last updated