Windows 10 Jump List Forensics

When Microsoft released Windows 7, a new artifact was released to the forensic world, Jump Lists.  Since that time most examiners have become used to examining this artifact and reporting on the results. Jump Lists are potentially a valuable source of evidence that can point directly to a user’s interactions with the computer.

Jump Lists In Windows 10

Jump Lists provide users a graphical indication of recent items accessed by each application.

Windows 10 Recent Items

Figure 1: View of ‘Recent’ files opened by Acrobat Reader (Windows 10)

Although Jump Lists are a function of the operating system, the service itself can be configured by the user.  To better the user experience in Windows 10, the creation of jump lists and the recording of opened items is on by default. User’s can elect to turn off the service.

Unlike previous versions of Windows, a user cannot easily change the number of items displayed in each Jump List from the default 10.  Rather, user’s are left with a simple on/off switch.

Windows 10 Jump List Settings

Figure 2: Windows Settings ➔ Personalization ➔ Start. Showing Jump List settings in Windows 10

It is possible to change the number displayed, either up or down, by adding a value in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced .

Analysis Of Jump Lists

One point that should be clear when analyzing a Windows computer is that Jump Lists are indicative of user activity.  Essentially Jump Lists track files accessed by a user, therefore they will assist in most examinations where a user’s actions on the computer are the focus of the analysis.

The actual Jump List files are created on a per user basis, and located (the AppData directory is hidden by default from the user):

\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

Two forms of Jump Lists are created, automatic and custom.

AutomaticDestinations-ms

Files created under \Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations-ms  are created automatically when a user interacts with the system performing such acts as opening applications or accessing files.

The actual Jump List items are contained within OLE containers that are essentially named for the application for which the relevant file was accessed.  The application ID is normally set by either the application, or the OS when the application is run.

Windows 10 Automatic Destinations

Figure 3: Viewing hidden directory \Users\\AppData\Microsoft\Windows\Recent\AutomaticDestinations-ms

CustomDestinations-ms

Files created under \Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations-ms are created when a user “pins” a file to the Start Menu or Task Bar.

Windows 10 Custom Destinations

Figure 4: Viewing hidden directory \Users\\AppData\Microsoft\Windows\Recent\CustomDestinations-ms

AppIDS

In both AutomaticDestinations-ms and CustomDestinations-Ms we see files that are prepended with an alphanumeric name that represents the application used.  These AppIDs are generated for each application on the target system (unless the developer has created a custom ID).  Lists of AppIDs can be found on several websites, for example, Forensic Wiki and GitHub.

GitHub Jump List AppIDs

Figure 5: Jump List AppIDs from https://github.com/4n6k/Jump_List_AppIDs/blob/master/4n6k_AppID_Master_List.md

For the most part generated AppIDs shown on these and other web pages take into account only the default installation location of applications.  In other words, if the application is installed by the user in a non-standard location, the AppID may be different than that which is listed.  Unless of course if the developer has not included their own AppID for their application, and relies on the OS to generate the AppID.

Jump List in BlackLight

BlackLight will automatically parse out Jump Lists from a Windows system; results can be found under Actionable IntelligenceProgram ExecutionJump Lists.

Jump Lists in BlackLight

Figure 6: Jump List as seen in BlackLight Actionable Intelligence ➔ Program Execution ➔ Jump List ➔ Preview Tab

The Target Date information (shown at the top of the image above) relates directly to the relevant file.  The second, Timestamp, is important because this is the last time this file was accessed by the user on this computer, with this application.

When a file is accessed from a removable drive, a Jump List will be created on the host Windows computer.  If that file was subsequently copied to the Windows computer and viewed again, a second Jump List will be recorded for that file.

Final Thought

Jump Lists are one of the most important forensic artifacts of recent times.  Like many forensic artifacts, the intent of Jump Lists is to provide users with increased usability and convenience. However examiners can take advantage of this service and gather critical insight into the user’s computer habits, knowledge and activities.

Make sure to subscribe to our blog to receive notification for the next post in our Windows Forensic Essentials blog series.

Leave a Reply

Sorry, you must be logged in to post a comment.