Jumplists: A Digital Trail of Your Activity

Jram February 04, 2025
JumpLists in Windows are a forensic goldmine for investigators. They provide valuable insights into user activity, including recently accessed files, applications, and tasks.

What Are JumpLists?
JumpLists are a feature introduced in Windows 7 and continued in later versions (Windows 8, 10, and 11). They are designed to improve user productivity by providing quick access to frequently or recently used files, folders, and tasks associated with specific applications. JumpLists appear when you right-click on an application icon in the Taskbar or Start Menu.

There are two types of JumpLists:
  1. Automatic Destinations: These are automatically generated by Windows and contain recently or frequently accessed files and folders.
  2. Custom Destinations: These are created by applications to provide quick access to specific tasks or features.

Where Are JumpLists Stored?
JumpLists are stored in specific directories within the user’s profile. The location depends on the version of Windows:

Windows 7, 8, 10, and 11:
C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\


AutomaticDestinations: Contains files with names like `f01b4d95cf55d32a.automaticDestinations-ms`.
CustomDestinations: Contains files with names like `5f7b5f1e01b83767.customDestinations-ms`.
 

The filenames in these directories are derived from the AppID (Application Identifier) of the associated application. Each application has a unique AppID, which is used to link the JumpList to the application.


Structure of JumpList Files
JumpList files are stored in a structured format known as Compound File Binary Format (CFBF), which is essentially a mini file system. These files can be parsed to extract valuable forensic data.

Key Components of JumpList Files:
  • AppID: A unique identifier for the application associated with the JumpList.
  • DestList: A stream within the JumpList file that contains metadata about the items in the JumpList, such as:
    • Timestamps (e.g., when the file was last accessed).
    • File paths.
    • Usage counts (how often the file was accessed).
  • Shell Items: These represent the actual files, folders, or tasks in the JumpList. They contain information such as:
    • File names.
    • File paths.
    • Shell item IDs (used to identify specific items in the Windows Shell namespace).
 
Forensic Value of JumpLists
JumpLists are incredibly useful in forensic investigations because they provide evidence of user activity, including:
  • Recently Accessed Files: JumpLists can reveal files that a user has recently opened, even if the files were deleted or moved.
  • Application Usage: Investigators can determine which applications were used and when.
  • Timeline Analysis: Timestamps in JumpLists can help reconstruct a timeline of user activity.
  • Evidence of Intent: Custom Destinations may show specific tasks or commands executed by the user, which can indicate intent or behavior.

How to Analyze JumpLists
To analyze JumpLists, you can use specialized forensic tools or manually parse the files. Here’s how:

  • Using Forensic Tools:
    • Autopsy: A free, open-source digital forensics tool that supports JumpList analysis.
    • FTK Imager: Allows you to extract and view JumpList files.
    • JumpLister: A dedicated tool for parsing JumpList files.
    • Eric Zimmerman’s Tools: Tools like `JLECmd` (Jump List Explorer Command Line) are specifically designed for JumpList analysis.
  • Manual Analysis:
    • Extract the JumpList files from the user’s profile.
    • Use a hex editor or a CFBF parser to examine the contents of the files.
    • Look for the DestList stream and Shell Items to extract file paths, timestamps, and other metadata.
Example: Parsing a JumpList with JLECmd
  • Download and run JLECmd from Eric Zimmerman’s tools.
  • Use the following command to parse a JumpList file:
    • JLECmd.exe -f "C:\path\to\JumpListFile.automaticDestinations-ms"
  • The tool will output the parsed data, including:
    • File paths.
    • Timestamps (e.g., last accessed time).
    • AppID and other metadata.

Common Forensic Scenarios Involving JumpLists
  • Malware Analysis:
    • JumpLists can reveal if a user executed a malicious file or application.
    • Investigators can trace the origin of the file and its execution timeline.
  • Data Exfiltration:
    • JumpLists may show evidence of files being accessed or copied to external devices.
  • User Activity Reconstruction:
    • JumpLists can help reconstruct a user’s actions, such as accessing sensitive documents or using specific applications.
  • Incident Response:
    • In cases of unauthorized access, JumpLists can provide clues about the attacker’s activities on the system.
Limitations of JumpLists
While JumpLists are valuable, they have some limitations:
  • Volatility: JumpLists can be cleared or overwritten by the system or user activity.
  • Application-Specific: Not all applications create or update JumpLists.
  • Encryption: Some JumpList data may be encrypted or obfuscated, making analysis more challenging.

Best Practices for JumpList Forensics
  • Preserve Evidence: Use write-blockers when extracting JumpList files to avoid altering the data.
  • Correlate Data: Combine JumpList analysis with other forensic artifacts (e.g., Prefetch files, Registry hives) for a comprehensive investigation.
  • Document Findings: Record all extracted data and timestamps for use in reports or legal proceedings.


Tags
Jram

Posted by Jram