Jump List files are actually OLE files. These files (introduced with Windows 7) give access to recently accessed applications and files. They have forensic value. You can find them in C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.
The AutomaticDestinations files are the OLE files, so you can analyze them with oledump. There are a couple of tools that can extract information from these files.
Here you can see oledump analyzing an automatic Jump List file:
The stream DestList contains the Jump List data:
There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:
The plugin takes an option (-f) to condense the information to just filenames:
Hello
I am doing work on my mtech thesis and I choose the topic ‘forensics on jumplist’ please suggest me what are the research that I can do on this topic.
Thank you
Comment by Krati — Saturday 27 February 2016 @ 19:07