JumpLists

Shows which files certain applications interacted with. Useful for tracking TA behavior.

Jump Lists Blog

File Location:

• C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

• C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

• C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Parse Data

JLECmd.exe -d F:\Tools\Investigation\jplists\ --csv F:\Tools\Investigation\JumpOutput.csv

• Shows MRU positions and how many entries are in Jump List.

• C and M timestamp data is included.

Considerations

• Jump Lists show most recently opened file with an application. (They are just lnk files).

• AutomaticDestination are recents.

• Pinned files are stored in a CustomDestination Jump List

• Each file in Jump Lists will contain an App ID (Application Identifier) that will show what application stored the lnk file.

Gotchas:

• Unlike automatic jump lists, custom jump lists aren't always created at the time of application creation.

• Be careful about using LNK target timestamps, they often refer to the application timestamps rather than the opened document.

• Jump lists can persist after the uninstallation of an app.

Anti-Forensics

• Delete Folders.