Jump Lists

From ForensicsWiki
Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.

Jump Lists come in multiple flavors:

  • automatic (autodest, or *.automaticDestinations-ms) files
  • custom (custdest, or *.customDestinations-ms) files
  • Explorer StartPage2 ProgramsCache Registry values

AutomaticDestinations

The AutomaticDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Files: *.automaticDestinations-ms

Structure

The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:

  • hexadecimal numbered, e.g. "1a"
  • DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut (LNK). One could extract all the streams and analyze them individually with a LNK parser.

The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes Last modification time, contains a FILETIME structure
0x70 2 bytes Path string size, the number of characters (UTF-16 words) of the path string
0x72 ... Path string

CustomDestinations

The CustomDestinations Jump List files are located in the user profile path:

Path: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Files: *.customDestinations-ms

Structure

CustomDestinations Jump List files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

See also

External Links

Tools

  • TZWorks LLC: Windows Jump List Parser (jmp). Also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
  • Woanware: JumpLister. Tool to view the information within the numbered streams of each autodest file.
  • plaso