Windows Jump Lists

Posted · Add Comment
Digital Forensics, Miami, Fort Lauderdale, e-Forensics

The Windows Operating System and some software applications offer functionality designed to optimize user experience and improve performance. One such feature is known as Jump Lists.

Jump Lists were first seen with Windows 7 and were developed to facilitate access of frequently used files and folders – that is, to “jump” to recently opened objects. For example, if a user frequently accesses a folder, a quick access (Jump List) is created to the folder. There are two types of Jump Lists, Automatic Destinations and Custom Destinations.

Automatic Destinations (AD) are created by the OS automatically when the user executes certain actions. They are associated with the type of files: for example, there are Jump Lists for MS Word, for the browser, for Excel etc. The Excel type contains the most recently open files, while the Browser types contain pointers to URLs (Web addresses) most recently visited. AD files are Microsoft Compound File Binary (CFB) objects that work as a container and are similar in structure to a Windows Shortcut (LNK) file.

Custom Destinations (CD) are created by software applications or when a user pins an item to the taskbar or start menu. These types of Jump Lists are not CFB containers and are less complex and usually contain link files that can be directly extracted. A thorough parsing of Jump Lists provides a chronology of recently accessed applications and files and yet another artifact to assist the forensics examiner in uncovering user actions.