Jump List Files Are OLE Files

Published: 2015-07-12
Last Updated: 2015-07-13 04:36:47 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files.

Here you can see oledump analyzing an automatic Jump List file:

The stream DestList contains the Jump List data:

There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:

The plugin takes an option (-f) to condense the information to filenames:

Please post a comment if you have another Jump List tool to share.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

1 comment(s)

Comments

And to answer the question of where the files are...
The jump list files for a particular user are located in: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations and C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations . The CustomDestinations and AutomaticDestinations folders are hidden even if you have "Hide protected operating system files" turned off.

Diary Archives