Jump Lists are one of the most overlooked yet powerful artifacts in Windows forensic investigations. Introduced in Windows 7, they provide users with quick access to recently or frequently used files, websites, and applications directly from the taskbar or Start menu.
But for forensic analysts, Jump Lists offer something even more valuable: a deep history of user activity, revealing files and folders accessed, websites visited, and applications frequently used—often persisting even after deletion or file wiping.
----------------------------------------------------------------------------------------------------------
How Jump Lists Work: Destinations vs. Tasks
Jump Lists are made up of two main components:
1️⃣ Destinations – These track user interactions with files, folders, and websites.
2️⃣ Tasks – These represent application-specific actions, such as opening a private browsing session or launching a virtual machine.
According to Microsoft’s Windows Software Development Kit (SDK):
Destinations (things users interact with, such as files or folders).
Tasks act (actions that apply to all users, such as "Open New Tab" in a browser).
Because Destinations track user behavior, they hold significant forensic value.
----------------------------------------------------------------------------------------------------------
Types of Jump Lists: Automatic vs. Custom
Jump Lists are categorized into two types:
🔹 AutomaticDestinations Jump Lists (Forensically Rich)
These are automatically generated by Windows for each application, storing up to 2,000 entries per application. They use a structured storage format (OLE CF)—essentially a container storing multiple data streams, including LNK files (shortcut files).
Each entry in an Automatic Jump List contains:
✅ Full file path and filename
✅ Timestamps (creation, modification, last accessed)
✅ File size and attributes
✅ Storage device information (drive serial number, network path, MAC address, etc.)
✅ MRU (Most Recently Used) order
📌 Forensic Insight:
Even if a file is deleted or wiped from the system, its Jump List entry may still exist, providing proof of prior access.
🔹 CustomDestinations Jump Lists (Application-Specific)
These are manually created by application developers for custom functionality, such as:
✅ Favorite files or frequently visited websites
✅ Recently closed tabs in browsers
✅ Cloud file access history
Custom Jump Lists use a simpler format than Automatic Jump Lists, consisting of concatenated LNK files without additional metadata.
📌 Forensic Insight:
Since Custom Jump Lists are managed by applications, they don’t always follow predictable timestamp patterns. Analysts should be cautious when interpreting their data.
----------------------------------------------------------------------------------------------------------
Jump List Storage Locations
Jump Lists are stored in the same location as user LNK files, under the user’s Recent Items folder:
🔹 AutomaticDestinations Jump Lists:
C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Each file inside this folder corresponds to an application, using an AppID-based filename (e.g., 5f7b5f1e01b83767.automaticDestinations-ms).
🔹 CustomDestinations Jump Lists:
C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinationsSimilar to Automatic Jump Lists, each file represents an application using an AppID-based filename.
********************************************************************************************************************
Jump Lists and Recent Items Folder Visibility in Windows 10/11
If you're looking for .lnk files (shortcut files) and Jump Lists in Windows 10 or 11, you might notice a difference in how they appear in File Explorer versus other tools.
File Explorer View:
Navigate to:
C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\
You will see Recent Items instead of Recent.
This folder contains shortcut files (.lnk), but Jump Lists (AutomaticDestinations, CustomDestinations) may not be visible.
PowerShell & Forensic Tools:
KAPE and other forensic tools can still extract these artifacts, confirming that they are present.
Key Takeaway
Even if you don’t see Jump Lists in File Explorer, they are still there and accessible through forensic methods. This is likely due to system behavior changes in newer Windows versions.
******************************************************************************************************************
Analyzing Jump Lists for Digital Forensics
1️⃣ Extracting Data from AutomaticDestinations Jump Lists
Because Automatic Jump Lists use OLE CF structured storage, specialized tools are required to extract their contents. Each entry contains a linked LNK file, providing valuable metadata.
🛠 Tools for Analysis:
✅ JumpList Explorer /JLECmd– Parses Automatic Jump Lists and extracts LNK data.
✅ LECmd (by Eric Zimmerman) – Processes Jump List LNK files for timestamp analysis.
✅ Forensic Suites (e.g., Autopsy, X-Ways) – Some forensic tools have built-in Jump List parsers.
📌 Key Findings:
Identify frequently accessed files (even if deleted).
Track external device use (USB, network shares).
Establish a timeline of file usage using MRU lists.
-------------------------------------------------------------------------------------------------------------
2️⃣ Analyzing CustomDestinations Jump Lists
Because CustomDestinations Jump Lists concatenate LNK files together, they are simpler to analyze but lack MRU ordering and additional timestamps.
📌 Key Findings:
Identify favorite or recently closed items (e.g., browser history, cloud files).
Review application-generated data (e.g., remote desktop connections).
Cross-reference with Automatic Jump Lists for verification.
🛠 Tools for Analysis:
✅ LECmd – Extracts individual LNK files from concatenated lists.
✅ Hex Editors – Manually inspect for unique artifacts (such as website URLs).
-------------------------------------------------------------------------------------------------------------
Jump Lists are an essential artifact in Windows forensic investigations, helping analysts track user activity, file access, and application usage. However, one of the biggest challenges with Jump Lists is their naming convention—instead of being named after applications, they are stored under unique Application Identifiers (AppIDs).
1b4dd67f29cb1962.automaticDestinations-msWhat Are Jump List AppIDs?
Every application that utilizes Jump Lists is assigned a unique AppID, which is derived from the full installation path of the application. This ensures that even different versions of the same application (e.g., Microsoft Word 2013 vs. Word 365) have separate Jump Lists and do not interfere with each other.
Key Characteristics of AppIDs:
✅ Universally Consistent – The same AppID for an application is used across all Windows systems.
✅ Path-Dependent – If an application is installed in a non-standard location, its AppID may differ.
✅ Persistent After Uninstallation – Jump Lists can remain on a system even after an application is removed, providing forensic evidence of prior use.
Finding and Identifying Jump List AppIDs
Since Windows does not label Jump Lists with application names, forensic analysts need to use other methods to determine which AppID corresponds to which application.
1️⃣ Checking Publicly Available AppID Lists
Several repositories maintain AppID lookup tables, including:
These lists allow investigators to match known AppIDs with common applications.
2️⃣ Using JLECmd for Automatic Identification
JLECmd by Eric Zimmerman is a forensic tool that automatically matches Jump List AppIDs to known applications using a built-in database.
📌 If the AppID is recognized, JLECmd will display the application name.
📌 If the AppID is unknown, the analyst will need to manually determine its origin.
AppIDs in Automatic vs. Custom Jump Lists
Both Automatic and Custom Jump Lists use the same AppID algorithm. However, there are key differences in their behavior:
Jump List Type | Location | Metadata Stored | Forensic Value |
Automatic | AutomaticDestinations | MRU order, timestamps, LNK files | High (rich data, timestamps) |
Custom | CustomDestinations | Concatenated LNK files, limited metadata | Moderate (useful but lacks MRU order) |
📌 Since Custom Jump Lists are optional, they are often fewer in number and may not exist for all applications.
📌 Example: CCleaner has been observed to create Custom Jump Lists without an Automatic Jump List, emphasizing the need to check both folders.
-------------------------------------------------------------------------------------------------------------
Forensic Case Study: Tracking User Activity with Jump Lists
🔍 Scenario:
A company suspects an employee exfiltrated sensitive documents via a USB drive before resigning.
🛠 Investigation Steps:
1️⃣ Extract AutomaticDestinations Jump Lists
Locate files in AutomaticDestinations.
Parse with JumpList Explorer /JLECmd to identify recently accessed documents.
Extract linked LNK files to reveal USB storage details.
2️⃣ Review CustomDestinations Jump Lists
Inspect CustomDestinations for browser history or cloud storage access.
Identify recently closed web pages (possible file uploads).
3️⃣ Cross-Check with Other Artifacts
Compare Jump List entries with RecentDocs registry keys.
Analyze the Recycle Bin for deleted files.
Correlate USB serial numbers with those from registry artifacts (USBSTOR).
📌 Key Findings:
✅ Employee accessed "Confidential_Plan.pdf" from the company’s drive.
✅ LNK metadata reveals it was copied to a USB drive (serial number: ABC123).
✅ Custom Jump Lists show Dropbox was accessed, suggesting potential cloud uploads.
🚀 Outcome:
Jump Lists helped prove data exfiltration, strengthening the case against the employee.
-------------------------------------------------------------------------------------------------------------
Preventing Data Loss: Disabling Jump Lists
Jump Lists store a massive amount of historical user activity, which can be a security risk. Organizations can disable Jump Lists via:
1️⃣ Control Panel:
Personalization -> Start -> "Show recently opened items in Jump Lists on Start or the taskbar" [Disable]2️⃣ Group Policy (for enterprises):
Computer Configuration -> Administrative Templates -> Start Menu and Taskbar -> Do not use the search-based method when resolving shell shortcuts.📌 Note:
Disabling Jump Lists wipes existing records but does not prevent recovery from unallocated disk space.
-------------------------------------------------------------------------------------------------------------
Final Thoughts: Why Jump Lists Matter in Forensics
Jump Lists are an invaluable resource for forensic investigators, offering a historical record of file access, browsing activity, and application usage. Their persistence—even after file deletion—makes them a crucial artifact for proving user intent and reconstructing events.
✅ Key Takeaways:
Automatic Jump Lists store detailed metadata and MRU lists.
Custom Jump Lists track browser and cloud activity.
Even deleted files can leave traces in Jump Lists.
Jump List analysis is essential for insider threat investigations.
-------------------------------------------------------------------------------------------------------------
Kommentarer