Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option (-f) to condense the information to filenames: Please post a comment if you have another Jump List tool to share. Didier Stevens |
DidierStevens 649 Posts ISC Handler Jul 13th 2015 |
Thread locked Subscribe |
Jul 13th 2015 6 years ago |
And to answer the question of where the files are...
The jump list files for a particular user are located in: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations and C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations . The CustomDestinations and AutomaticDestinations folders are hidden even if you have "Hide protected operating system files" turned off. |
Anonymous |
Quote |
Jul 13th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!