Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Jump Lists are a feature found in Windows 7.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
Jump Lists come in multiple flavors:
- automatic (autodest, or *.automaticDestinations-ms) files
- custom (custdest, or *.customDestinations-ms) files
- Explorer StartPage2 ProgramsCache Registry values
The AutomaticDestinations Jump List files are located in the user profile path:
The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:
- hexadecimal numbered, e.g. "1a"
Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut (LNK). One could extract all the streams and analyze them individually with a LNK parser.
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
|0x48||16 bytes||NetBIOS name of the system; padded with zeros to 16 bytes|
|0x58||8 bytes||Stream number; corresponds to the numbered stream within the jump list|
|0x64||8 bytes||Last modification time, contains a FILETIME structure|
|0x70||2 bytes||Path string size, the number of characters (UTF-16 words) of the path string|
The CustomDestinations Jump List files are located in the user profile path:
CustomDestinations Jump List files reportedly follow a structure of sequential MS-SHLLINK binary format segments.
- Windows 7 Goodies in C++: Jump Lists, by Michael Dunn, May 19, 2009
- Jump Lists in Windows 7 and Possible Forensic Implementations, by Mike Ahrendt, April 3, 2011
- The Forensic Value of the Windows 7 Jump List, by Alexander G Barnett, April 18, 2011
- Forensic Examination of Windows 7 Jump Lists, by Troy Larson, June 6, 2011
- Jump List Analysis, by Harlan Carvey, August 17, 2011
- Jump List Analysis, pt II, by Harlan Carvey, August 24, 2011
- Jump List Analysis, by Harlan Carvey, December 28, 2011
- Forensic Analysis of Windows 7 Jump Lists, by Rob Lyness, October 2012
- Jump lists format, by the libyal project, July 2014
- Jump lists in depth (includes changes from Windows 10), by Eric Zimmerman, Feb 2016
- Belkasoft Evidence Center. One of functions of this tool is search (including carving) and analysis of jumplists. A wide list of applications is supported (Jump list IDs).
- TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
- Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.
- JumpList. Parser written in C# with support thru Windows 10 jump lists
- JLECmd. Command line tool using the above parser