Mastering JLECmd for Windows Jump List Forensics

Windows Jump Lists are a goldmine for forensic investigators, offering detailed insights into file access, user activity, and application usage. To efficiently analyze these artifacts, JLECmd, developed by Eric Zimmerman, provides comprehensive parsing of Jump List data, ensuring no valuable evidence is overlooked.

-------------------------------------------------------------------------------------------------------------

📁 Understanding Jump Lists: AutomaticDestinationsvs and CustomDestinations

Jump Lists are stored in a user’s Recent folder, but there are two different types:

🔹 Automatic Jump Lists are system-generated for frequently used applications.

🔹 Custom Jump Lists are application-defined and may store favorites, pinned items, or recent actions.

-------------------------------------------------------------------------------------------------------------

🛠 How to Use JLECmd for Jump List Analysis

1️⃣ Parsing a Single Jump List

JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1c7a9be1b15a03ba.automaticDestinations-ms"

If investigating whether Microsoft Word 2016 opened a sensitive file, JLECmd reveals when it was last accessed and from which system location.

2️⃣ Running JLECmd on an Entire User's Recent Folder

To extract ALL Jump Lists for a user, run:

JLECmd.exe -d G:\C\ --csv "E:\Output for testing\Website investigation" -q --csvf jlcmd.csv

 In a data theft investigation, sorting by last accessed timestamps may uncover unauthorized file access from network shares or external USB devices.

-------------------------------------------------------------------------------------------------------------

Key Points from JLECmd Output:

• AppID Identification:

  • The top-left section of the output shows the AppID and its description.

  • If no match is found, it may return Unknown AppID, requiring manual inference.

    
    

• DestList Information(Metadata):

  • Automatic Jump Lists include metadata like the expected vs. actual number of entries.

  • Discrepancies between these values may indicate missing or uncorrelated entries.

  • The DestList version changes across Windows versions, requiring updates to forensic tools.

  
  

• (DestList Entries) Timestamps & Interaction Tracking:

  • Created time is linked to the Birth DROID timestamp (often before the actual file creation).(Can be ignored)

  • Last modified time is more relevant as it tracks the last access of a file or URL.(Very important)****

  • Newer Jump Lists include an interaction count that records file openings.

  
  

• Deep Parsing with JLECmd:

  • By default, JLECmd limits displayed .lnk data.

  • Using --fd enables full .lnk details (timestamps, paths, volume info).

  • The --dumpTo option extracts shell items into individual .lnk files for deeper analysis.
    

Automatic vs. Custom Jump Lists:

• Automatic Jump Lists contain DestList data, timestamps, and interaction counts.

• Custom Jump Lists store fewer details and lack DestList information.

  
  

-------------------------------------------------------------------------------------------------------------

(Request Use Excel its easy to analyse there)

AppId, AppIdDescription, MRU, LastModified(Also called Last opened), Path, InteractionCount ,TargetCreated,TargetModified , FileSize , DriveType , VolumeSerialNumber LocalPath

-------------------------------------------------------------------------------------------------------------

Extracting Detailed LNK Data with JLECmd

Now, JLECmd does not parse most .lnk details during single Jump List parsing.

For example, an Automatic Jump List may include hundreds of .lnk files, which can be overwhelming.

How to Extract Full LNK Data

• Use the --fd option in JLECmd to parse full shell item information, including:

  • Target timestamps

  • File size and attributes

  • Absolute path and volume details

  • Extra block information

.\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1c7a9be1b15a03ba.automaticDestinations-ms" --fd | more

• ***Due to the large amount of data, redirect the output to a text file or html for better readability****.

Command:

.\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms" --fd --html "E:\Output for testing\Website investigation\out.html" -q

• For extracting all .lnk files fir particular automatic destination, use the --dumpTo option. This allows you to analyze them with other forensic tools.

Command:

.\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms" --dumpTo  "E:\Output for testing\Website investigation"

Once you open the folder

You will see all the .lnk files extracted, allowing you to analyze them using any tool, such as LNK Tool.

-------------------------------------------------------------------------------------------------------------

Why Use JumpList Explorer?

Unlike JLECmd, which requires command-line parsing, JumpList Explorer provides a graphical interface that makes it easier to understand and analyze Jump List data.

If u click on any Lnk file at right hand side bottom:

-------------------------------------------------------------------------------------------------------------

🚀 Quick Reference: Analysis

🚀 Quick Reference: Essential JLECmd Commands

-------------------------------------------------------------------------------------------------------------

🚀 Get Started with JLECmd Today!

🔹 Download JLECmd as part of the Zimmerman Tools

🔹 Test it on a sample Jump List to see how much forensic evidence you can extract!

----------------------------------------Dean----------------------------------------------