Windows Jumplists
Windows Jumplists expose a high-fidelity history of user interactions across the operating system. They track the exact files, folders and network locations a user accessed via specific applications. For an investigator, decoding a jumplist is like reading a private diary of everything a suspect touched. It reveals not only what applications ran, but the exact target locations of the data they opened.
When you right-click on the Microsoft Word icon in your taskbar, you see a popup menu showing all the recent documents you opened. This quick-access menu is a "Jumplist." Windows saves this list in a hidden file so the menu loads instantly next time. As forensic investigators, we extract that hidden file to see exactly what secret documents you were reading last week.
General
Introduced in Windows 7, Jumplists are composed of standard OLE compound files (CustomDestinations) and structured lists of shortcut streams (AutomaticDestinations). They reside in a user's local AppData directory under Microsoft\Windows\Recent\. Microsoft engineered them to enhance productivity but inadvertently created a goldmine for digital forensics. Every time an application opens a file, the Windows shell creates an internal LNK (shortcut) stream inside the Jumplist container. This effectively logs the target's MAC-times, the volume serial number and the exact network or local path.
Traces
Because Jumplists are essentially containers full of shortcuts, parsing them provides a deep dive into user activity. Here is what we extract from them:
- Target Path: The absolute file or network path the user opened.
- Application ID (AppID): The hash uniquely identifying which exact application opened the file (e.g. Word, Notepad or Explorer).
- Interaction Timestamps: Detailed access dates showing precisely when the user opened the document.
- Volume Information: The serial number and drive type indicating whether the file was on a hard drive or external USB.
- Entry Type: Identifying whether the user manually pinned the item or if Windows added it automatically.
- and more.
Forensic Use Cases
We use Jumplist artifacts to establish intent and track sensitive data movement:
- Data Exfiltration: Proving an insider threat opened sensitive files from a secure network share and copied them out.
- External Device Access: Identifying files launched from an unrecoverable or removed USB flash drive through volume serial number matching.
- Deleted File Interactions: Determining if a suspect interacted with specific illicit documents before they wiped them from the drive.
- Knowledge and Intent: Definitively proving that a specific user account deliberately clicked on and opened a document.
- and more.