Jumplist
Overview
Evidence: Jumplist Description: Collect Jumplist Category: File System Platform: Windows Short Name: jumplist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes
Background
Windows Jump Lists provide evidence of recently accessed files and applications, showing user activity patterns and file access history. These lists are maintained by the Windows shell and provide valuable forensic evidence.
Data Collected
This collector gathers structured data about jumplist.
Jumplist Data
ID
Primary key (auto-increment)
1
Path
JumpList file path
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
AppID
Application ID
1b4dd67f29cb1962
AppIDDescription
Application description
Microsoft Edge
Version
JumpList version
1
NumEntries
Number of entries
10
NumPinnedEntries
Number of pinned entries
3
LastEntryNumber
Last entry number
10
Collection Method
This collector parses the necessary data from the jumplist table.
This collector collects files from the following locations:
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\
Usage
This evidence is crucial for forensic investigations as it provides user activity and file access patterns. It helps investigators understand user behavior, detect unauthorized file access, and investigate user-based attacks. The data can reveal recently accessed files, application usage, and potential data exfiltration. Analysts can use this information to identify user compromises, trace file activities, and assess user security posture.
Notes
This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.
Last updated
Was this helpful?