Jumplist Files - Foren-Ken/tech-journal GitHub Wiki
JumpLists are collections of LNK Files which the program associated to the JunpList uses to access resources before the program is even opened. This can be noticed when searching "Notepad" and viewing the "Recent" files opened:
In the provided screenshot, the "Secret Note.txt", "Unique Note.txt", and "Cool Note.txt" can be seen.
Heading to the directory C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations, it is possible to forensically discover this information from analyzing all the JumpLists found within the directory. I will be using JumpList Explorer by Erik Zimmerman (Link To Guide).
Notice how the files are the same in both red highlighted boxes.
The following types of information are provided from the large pane at the top of the Window:
| Artifact | Usage |
|---|---|
| Source File Name | Provides the location of the JumpList |
| Jump List Type | Differentiates Automatic and Custom JumpLists |
| App ID | An identifier for a specific application. Each application has its own, but the same App ID is shared between applications on different devices |
| App ID Description | A description provided, usually the same of the app in plaintext. |
| LNK File Count | Displays the amount of LNK file stored within the JumpList. |
| File Size | This displays the size of the JumpList in bytes. |
When viewing the small pane underneath I had highlighted in purple, the Jumplists can be discovered. In the provided screenshot, the "Secret Note.txt", "Unique Note.txt", and "Cool Note.txt" can be discovered. These are the exact same files as seen before in the "Recent" when looking up Notepad. These LNK files within the Jumplist act almost exactly like the LNK files described in my guide to my guide on LNK Files.