|
Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file:
The stream DestList contains the Jump List data:
There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:
The plugin takes an option (-f) to condense the information to filenames:
Please post a comment if you have another Jump List tool to share. Didier Stevens |
DidierStevens 649 Posts ISC Handler Jul 13th 2015 |
| Thread locked Subscribe |
Jul 13th 2015 6 years ago |
|
And to answer the question of where the files are...
The jump list files for a particular user are located in: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations and C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations . The CustomDestinations and AutomaticDestinations folders are hidden even if you have "Hide protected operating system files" turned off. |
Anonymous |
| Quote |
Jul 13th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
