By leveraging its capabilities, investigators can efficiently extract valuable insights from Jump List files, shedding light on recent file accesses and application usage patterns.
Single File Analysis:
When analyzing a single Jump List file, the following command syntax can be used:
Format:- JLECmd.exe -f [Path to Jump List File] -q --csv .\
Example:- JLECmd.exe -f C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f065ac336abcaa3e.automaticDestinations-ms -q --csv .\
-f: Specifies the path to the Jump List file for analysis.
-q: Optional parameter to display only the filename being processed, speeding up exporting to JSON or CSV format.
--csv: Instructs the tool to store the output in CSV format.
.\: Specifies the directory to store the parsed data (store data in directory which you are working in) (you can change directory as you like)
Full Directory Parsing:
To analyze an entire directory containing Jump List files, the command syntax can be modified as follows:
Format:- JLECmd.exe -d [Path to Directory] -q --csv .\
Example:- JLECmd.exe -d C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations -q --csv .\
-d: Indicates that a directory containing multiple Jump List files will be parsed.
Note on GUI Version:
Additionally, it's worth mentioning that JLECmd also offers a GUI version(JumpListExplorer.exe), providing users with an intuitive interface for performing Jump List analysis tasks.
The left-side navigation neatly categorizes the different streams associated with link file data, allowing users to easily access target timestamps, file sizes, paths, and additional details for each file. The tool efficiently parses this information, offering valuable insights such as host names, MAC addresses, and other pertinent data. While the same analysis could be conducted using Microsoft Excel with TSV files generated from command line tools, the graphical user interface of the tool streamlines the process, making data interpretation and analysis more intuitive
Akash Patel
Comments