Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Jump List Files Are OLE Files - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Jump List Files Are OLE Files

Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files.

Here you can see oledump analyzing an automatic Jump List file:

The stream DestList contains the Jump List data:

There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:

The plugin takes an option (-f) to condense the information to filenames:

Please post a comment if you have another Jump List tool to share.

Didier Stevens
Microsoft MVP Consumer Security


649 Posts
ISC Handler
Jul 13th 2015
And to answer the question of where the files are...
The jump list files for a particular user are located in: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations and C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations . The CustomDestinations and AutomaticDestinations folders are hidden even if you have "Hide protected operating system files" turned off.

Sign Up for Free or Log In to start participating in the conversation!