Jump Lists

Windows Jump Lists are designed to provide users with quick access to frequently or recently used documents, files, or applications directly from the taskbar. Introduced with Windows 7, these lists offer valuable insights into user activity, including the applications used and specific interactions with various items.

Key Insights:

• Location of AutomaticDestinations:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

• Location of CustomDestinations:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Jump Lists are associated with individual applications, identified by a unique application identifier (AppID). These identifiers enable forensic analysts to determine which application a particular Jump List is associated with. can be found at , which is an invaluable resource for identifying the applications related to specific Jump List files.

Each Jump List file can store information about up to 2000 items that a user has interacted with through the corresponding application. This includes documents opened, media played, or any file accessed. The data maintained in a Jump List can include, but is not limited to, the following:

• Target Timestamps: Records when the item was last opened.

• File Size: The size of the item when last accessed.

• Storage Medium Information: Identifies where the item is stored—on a local drive, removable media, or a network share.

• Most Recently Used (MRU) Order: Items in a Jump List are kept in an MRU order, which includes a timestamp for each listed item, providing a timeline of user interactions.

Deeper Dive

Jump Lists are composed of entries represented as LNK (shortcut) shell items, which offer additional metadata about the accessed items. This metadata enriches the forensic analysis by providing detailed information about user behavior and file access patterns.

• AutomaticDestinations: These files are automatically generated by the system to track items opened by applications. They are named using the , making it possible to associate each Jump List with its respective application.

• CustomDestinations: Created by applications to store shortcuts to user-specified destinations. These also use the AppID naming convention but allow for more customization by the application or user.

Analyzing The Artifact

To analyze Jump Lists, forensic analysts can follow these steps:

1. Locate the Jump List files in the AutomaticDestinations and CustomDestinations directories.

3. Examine the contents of each Jump List file to extract and analyze the LNK shell item data. This includes target timestamps, file size, and the original location of accessed items.

4. Analyze the MRU order and timestamps to construct a timeline of user interactions with the application.

Tools for Analysis

• JumpList Explorer: A tool designed specifically for parsing and analyzing Jump List files, providing a user-friendly interface to examine the metadata contained within.

• LNK Parsing Tools: Since Jump List entries are represented as LNK shell items, tools capable of parsing LNK files (such as LECmd or ShellBags Explorer) can be utilized to extract detailed information about each entry.

• Forensic Suites: Comprehensive forensic suites like Magnet AXIOM or EnCase offer capabilities to automatically parse and analyze Jump List files as part of their examination of Windows artifacts.