Artifact Analysis: Windows Jumplists

Note

Executive Summary: Introduced in Windows 7, Jumplists are a GUI feature designed to give users quick access to recently or frequently opened files associated with specific applications. For DFIR analysts, Jumplists act as a highly granular historical ledger, providing irrefutable evidence of user interaction, execution context, and access to files that may no longer exist on the disk.

1. Technical Overview

The primary philosophy behind Jumplists is user productivity. When a user right-clicks an application icon on the taskbar or Start menu, the resulting list of files or tasks is populated by Jumplist data.

Unlike the file system’s “Last Accessed” timestamp, which can be unreliable or disabled by default in modern Windows environments, Jumplists are actively maintained by the operating system whenever a user interacts with a file through an application’s standard dialogue handlers.

Operating Mechanism

When a file is opened via an application (e.g., opening a .docx file via WINWORD.EXE), the Windows Shell registers this interaction. It generates or updates a binary file specific to both the user and the application, storing rich metadata about the target file as an embedded LNK File stream.

2. Artifact Locations & Structure

Jumplist artifacts are stored within the user’s profile and are categorized into two distinct types based on how they are generated.

A. AutomaticDestinations

These are populated automatically by the Windows operating system as users interact with files.

• Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
• File Naming Convention: [AppID].automaticDestinations-ms

B. CustomDestinations

These are generated by the application itself to pin specific files or provide custom application tasks.

• Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
• File Naming Convention: [AppID].customDestinations-ms

Tip

Understanding AppIDs: The [AppID] is a unique 16-character hexadecimal string calculated from the application’s path. For example, Microsoft Word’s AppID is consistently 9b9cdc69c1c24e2b. Analysts can use known AppID lookup tables to quickly identify which application generated the Jumplist.

3. Data Structure

Jumplist files are not simple text logs; they are complex OLE Compound Files (OLECF). Analyzing them reveals highly structured metadata, as each entry contains embedded LNK streams (DestList):

• Target File Path: The absolute path of the accessed file.
• Target Timestamps: The Creation, Modification, and Access times of the target file at the exact moment the Jumplist entry was created or updated.
• Interaction Timestamp: The modification date of the Jumplist entry itself indicates the time of user interaction.
• Volume Information: Details about the storage media, including volume serial numbers and drive types (local, network, removable).
• MAC Address: The MAC address of the machine hosting the file, which is highly valuable when investigating access to lateral network shares.

4. Forensic Value in Incident Response

Jumplists answer the critical DFIR question: “What exactly did the user or attacker do with this program?”

Execution Context

While Prefetch (.pf) Files prove that an executable (like powershell.exe) ran, they do not inherently show the arguments or files it interacted with. By analyzing the PowerShell Jumplist, an investigator can identify the exact .ps1 script that was executed by the threat actor.

Tracking Data Exfiltration

During the staging phase of an attack, adversaries often compress data before exfiltration. If tools like 7-Zip, WinRAR, or FTP clients like FileZilla are used, their respective Jumplists will log the specific directories and files the attacker manipulated.

Identifying Deleted Files

Because Jumplists maintain an independent database of metadata, they preserve the historical record of files and folders long after the actual data has been securely wiped or removed by an attacker.

5. Data Analysis & Parsing

Due to their complex binary nature, manual analysis of Jumplists is impractical. DFIR analysts rely on specialized parsing utilities.

1. Acquisition: Extract the AutomaticDestinations and CustomDestinations directories from the suspect user’s profile.
2. Parsing: Run a dedicated parser to extract the OLE streams and reconstruct the embedded LNK metadata.
3. Correlation: Cross-reference the interaction timestamps with Shellbags for folder navigation context, and Prefetch for application execution timelines.

JLECmd

Part of Eric Zimmerman’s Tools. JLECmd.exe is the industry standard for parsing Jumplist files, offering high-speed processing and detailed CSV output.

JumpLister

Developed by Digital Forensics Corp, this provides a GUI-based approach for analysts who prefer visual exploration of Jumplist contents and AppID resolution.

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: JLECmd GitHub Repository
• Related: Understanding Prefetch Execution Evidence