Forensic Friday - Jump Lists
What are Jump Lists?
Jump Lists are windows features introduced with Windows 7, and they contain information about recently accessed applications and files. They allow files and applications to be pinned to the taskbar. There are two forms of jump list that can be created in windows.
The first form is called AUTOMATICDESTINATIONS-MS. Like its name, these jump lists are created automatically when the users open a file or an application. This jump list is located in the following directory:
The second form of jump list is called the CUSTOMDESTINATIONS-MS. As the name indicates, these are customized jump lists created when the user pins a file or an application. This jump list is located in the following directory:
Why are jump lists important in an investigation?
When we work on incidents that involve ransomware, the question, "What did the threat actor access?" always is asked. An excellent way to answer this question is by looking at the jump lists. If the user the threat actor used is known, an investigator can look at the jump list and understand precisely what the threat actor accessed. Looking at the jump list will give the investigator an idea of what information might have been exfiltrated.
How to look at jump lists?
Some tools make it easier to parse out jump list files. For example, at Inception Security, we use JLECmd, and JumpList Explorer by Eric Zimmerman. You can download the tools here.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.