Didier Stevens

Monday 3 August 2015

Jump List Forensics

Filed under: Forensics,My Software — Didier Stevens @ 0:00

Jump List files are actually OLE files. These files (introduced with Windows 7) give access to recently accessed applications and files. They have forensic value. You can find them in C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.

The AutomaticDestinations files are the OLE files, so you can analyze them with oledump. There are a couple of tools that can extract information from these files.

Here you can see oledump analyzing an automatic Jump List file:

20150712-190918

The stream DestList contains the Jump List data:

20150712-191030

There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:

20150712-191130

The plugin takes an option (-f) to condense the information to just filenames:

20150712-191215

1 Comment »

  1. Hello
    I am doing work on my mtech thesis and I choose the topic ‘forensics on jumplist’ please suggest me what are the research that I can do on this topic.
    Thank you

    Comment by Krati — Saturday 27 February 2016 @ 19:07


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: