What is the “Jumplists” Windows forensic artifact?

Jumplists are a feature introduced in Windows 7 to allow users to quickly re-access recently used files and perform common tasks associated with an application directly from the taskbar or Start Menu. This information is stored in two types of files located in a user’s profile: Automatic Destinations (.automaticDestinations-ms) and Custom Destinations (.customDestinations-ms), found within the %AppData%\Microsoft\Windows\Recent\ directory. Automatic Destinations are created by the OS to track recently accessed files per application, while Custom Destinations are created by applications to define their own specific lists.

The entries within Jumplists are a rich source of information about user activity and file access history. Each entry can reveal the full path of a file that was opened, the application used to open it, and timestamps indicating when the file was first and last accessed. This is extremely valuable for a DFIR investigator as it proves a user’s interaction with specific files, including those that may have been stored on network shares or removable media and are no longer present on the local system. By analyzing Jumplists, an investigator can reconstruct a user’s recent workflow, identify sensitive documents that were accessed, and uncover evidence of access to malicious files, such as a phishing document or malware dropper.

Collecting, Decoding, and Viewing “Jumplists” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Jumplists delivered in the browser, alongside an executive summary and timeline of findings.