Jump Lists are among the most underutilized forensic artifacts in Windows investigations. They record which files a user opened, which application opened them, and when — with full target file paths, timestamps, and volume serial numbers embedded in LNK stream data. Even after files are deleted and Recycle Bin is emptied, Jump Lists retain the evidence of access.
What Are Jump Lists?
Jump Lists were introduced in Windows 7 as a taskbar feature allowing users to right-click a pinned application and see recently or frequently accessed files. Behind the user interface, Windows maintains two parallel stores of this data: AutomaticDestinations (system-managed) and CustomDestinations (application-managed). Both persist as files on disk and contain rich forensic metadata that survives application closure, file deletion, and system reboots.
Each Jump List file is identified by a 16-character hexadecimal AppID that maps to a specific application. For example, 5f7b5f1e01b83767 maps to Notepad, 1b4dd67f29cb1962 maps to Windows Explorer pinned items, and 12dc1ea8e34b5a6 maps to Microsoft Paint. The AppID is derived from a hash of the application’s path, meaning the same application installed at different paths will produce different AppIDs.
AutomaticDestinations files are OLE Compound File Binary Format (MS-CFB) containers. Each stream within the compound file is a complete LNK (shell link) structure containing the target file path, file size, MAC timestamps (Modified, Accessed, Created), volume information, and in many cases the NetBIOS name of the machine where the target file resides. This means every entry in a Jump List is effectively a full LNK file with all associated metadata.
AutomaticDestinations are managed by the operating system. Windows automatically adds entries when a user opens a file through an application. CustomDestinations are managed by the application itself (e.g., pinned items, custom categories in an application’s Jump List). Both are forensically valuable, but AutomaticDestinations provide the most reliable evidence of user-initiated file access.
Location & Format
| Component | Path | Description |
|---|---|---|
| AutomaticDestinations | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ | System-managed; OLE compound files with .automaticDestinations-ms extension |
| CustomDestinations | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ | Application-managed; custom binary format with .customDestinations-ms extension |
| Filename format | {AppID}.automaticDestinations-ms | 16-character hex AppID derived from application path hash |
OLE Compound File Structure
Each AutomaticDestinations file is an OLE Compound File (the same container format used by older Microsoft Office documents). Inside the compound file, each stream is named with a hexadecimal number (e.g., 1, 2, 3, ..., up to DestList). Each numbered stream contains a complete LNK binary structure. The DestList stream is a header structure that contains metadata about each entry: an entry counter, last-access timestamps, pin status, and an access count that records how many times the user opened that particular file through the application.
Common AppID Mappings
| AppID | Application | Notes |
|---|---|---|
5f7b5f1e01b83767 | Notepad | Text files opened via Notepad |
1b4dd67f29cb1962 | Windows Explorer (pinned) | Folders pinned to taskbar |
f01b4d95cf55d32a | Windows Explorer | Recent folder access |
a7bd71699cd38d1c | Microsoft Word 2010+ | Documents opened in Word |
d00655d2aa12ff6d | Microsoft Excel 2010+ | Spreadsheets opened in Excel |
9b9cdc69c1c24e2b | Notepad++ | Files opened in Notepad++ |
bc0c37e84e063727 | Remote Desktop (mstsc) | RDP connection targets |
290532160612e071 | WinRAR | Archive files opened in WinRAR |
b74736c2bd8cc8a5 | WinSCP | SFTP/SCP session targets |
AppIDs are not universal constants. They are derived from the application’s install path. If a user installs an application in a non-default directory, the AppID will differ from published lookup tables. Always verify AppID mappings against the specific system under investigation. Eric Zimmerman maintains a community-updated AppID list at https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt.
Embedded LNK Data
Each stream within an AutomaticDestinations file contains a complete Windows Shell Link (.lnk) binary structure as defined by the MS-SHLLINK specification. This means each Jump List entry contains the same metadata as a standalone LNK shortcut file:
- Target file path — Full path to the file that was opened, including UNC paths for network shares (e.g.,
\\FILESERVER01\Projects\Q4-Report.xlsx) - MAC timestamps — Created, Modified, and Accessed timestamps of the target file at the time it was accessed (these are snapshots, not live values)
- File size — Size of the target file at time of access
- Volume serial number — Serial number of the volume where the target file resided, identifying specific drives including removable media
- Volume label and type — Drive label (e.g., “USB_BACKUP”) and type (fixed, removable, network)
- NetBIOS name — Machine name where the target file resides (for network paths)
- Distributed Link Tracking data — Machine ID, volume GUID, and file object ID used by the Distributed Link Tracking service
The MAC timestamps embedded in Jump List LNK data are point-in-time snapshots. They record the target file’s timestamps at the moment the Jump List entry was created or updated. If a file was modified between two Jump List accesses, the two entries will show different timestamps for the same file path — providing a forensic timeline of file changes.
DestList Stream Metadata
The DestList stream within each AutomaticDestinations file contains per-entry metadata that does not exist in standalone LNK files:
| Field | Size | Forensic Value |
|---|---|---|
Entry ID / Counter | 4 bytes | Monotonically increasing; indicates order of access across all entries |
Last Recorded Access | 8 bytes (FILETIME) | When the user last opened this specific file through this application |
Access Count | 4 bytes | Number of times this file was opened through this application |
Pin Status | Variable | Whether the entry is pinned by the user in the Jump List |
NetBIOS Name | Variable (UTF-16) | Machine name; present even for local files on some OS versions |
What It Reveals
Jump Lists answer investigative questions that are difficult or impossible to answer with other artifacts alone:
- Which files did a user open with a specific application? — Each AppID maps to one application. The Jump List for that AppID contains every file the user opened through it.
- When was a file last accessed through a specific application? — The DestList
Last Recorded Accesstimestamp provides per-file, per-application access times. - How many times was a specific file opened? — The DestList
Access Countfield tracks repeated opens of the same file. - Did the user access files on removable media? — Volume serial numbers and volume types in the embedded LNK data identify USB drives, external hard drives, and other removable storage — even after the media is disconnected.
- Did the user access files on network shares? — UNC paths and NetBIOS names in the LNK data prove access to specific network resources.
- What were the file’s timestamps at the time of access? — The embedded MAC timestamps are snapshots, allowing investigators to compare file state across multiple access events.
- Was a specific application ever used? — The existence of a Jump List file for an AppID proves the application was used to open files, even if the application has since been uninstalled.
- What was the original filename and path of a deleted file? — Jump List entries retain the full original path after the target file is deleted from disk and even after the Recycle Bin is emptied.
A Jump List entry for WinRAR (290532160612e071) shows the target path E:\Client_Data\Q4_financials.zip with volume label SANDISK_USB and volume type Removable. The USB drive is no longer connected to the machine. The Jump List is the only artifact proving this file was accessed from removable media. The volume serial number can be cross-referenced with SYSTEM\MountedDevices and setupapi.dev.log to confirm the specific USB device.
Forensic Use Cases
1. Insider Threat — Unauthorized File Access
An employee under investigation for intellectual property theft claims they never accessed engineering design files. The Jump List for Microsoft Word shows 14 entries pointing to \\ENGSERVER\Designs\{project}\*.docx files with access counts between 2 and 7 each. The DestList timestamps show access concentrated between 21:00 and 23:00 over a two-week period — outside normal working hours. The employee’s browser history and $UsnJrnl have been cleared, but Jump Lists were not targeted.
2. Data Staging on Removable Media
During an IP theft investigation, an employee claims they never used a USB drive at their workstation. The Jump List for WinRAR contains 8 entries pointing to F:\Staging\*.zip with volume type Removable and volume serial number 4A2B-1F8C. The same serial number appears in SYSTEM\MountedDevices mapping to a SanDisk Cruzer device. The Jump List proves both USB usage and the specific files archived to the removable drive.
3. Malware Delivery via Document
A user received a phishing email with a malicious document attachment. The document has been deleted and the email purged from the mailbox. The Jump List for Microsoft Word contains an entry for C:\Users\{user}\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\{hash}\Invoice_Q4_2026.docm. This path is the Outlook temporary attachment cache, proving the document was opened from an email attachment. The embedded MAC timestamps establish precisely when the document was opened, correlating with the malware execution timeline from other artifacts.
4. Remote Desktop Session Reconstruction
The Jump List for mstsc.exe (Remote Desktop Client, AppID bc0c37e84e063727) records every RDP target the user connected to. Each entry contains the server hostname or IP address. In a lateral movement investigation, this proves which internal systems an attacker accessed via RDP, with timestamps and access counts, even after the RDP history in the registry (HKCU\Software\Microsoft\Terminal Server Client) has been cleared.
5. Deleted Application Usage
A user installed a portable file transfer tool, used it to move files, then deleted the application entirely. No Prefetch entry exists because the application was run fewer than the Prefetch threshold, and the executable is gone. However, the Jump List file for the application’s AppID still exists in AutomaticDestinations, containing entries for every file the application accessed. The application’s AppID can be calculated from its known path using the CRC-64 algorithm documented in Jump List research.
Acquisition Methods
Jump List files are stored in the user’s AppData\Roaming directory. On a live system, these files are not locked by the OS and can be copied directly. However, the AutomaticDestinations directory may update in real-time as the user opens files. For forensic integrity, use a forensic imaging tool or Volume Shadow Copy to capture a point-in-time snapshot. Always collect both AutomaticDestinations and CustomDestinations directories.
Live System — Direct Copy
:: Copy AutomaticDestinations for a specific user robocopy "C:\Users\jdoe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" "C:\Evidence\JumpLists\Auto" /COPYALL /E :: Copy CustomDestinations robocopy "C:\Users\jdoe\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" "C:\Evidence\JumpLists\Custom" /COPYALL /E :: Collect for ALL user profiles at once for /d %u in (C:\Users\*) do ( robocopy "%u\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" "C:\Evidence\JumpLists\%~nu\Auto" /COPYALL /E robocopy "%u\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" "C:\Evidence\JumpLists\%~nu\Custom" /COPYALL /E )
Live System — KAPE Collection
:: KAPE target for Jump Lists kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target JumpLists :: Velociraptor VQL query for Jump Lists :: Artifact: Windows.KapeFiles.Targets with target "JumpLists" :: Or: SELECT * FROM glob(globs="C:/Users/*/AppData/Roaming/Microsoft/Windows/Recent/*Destinations/*")
Forensic Image — Direct Extraction
# Mount the forensic image (read-only) mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Extract AutomaticDestinations for all users find /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/ \ -name "*.automaticDestinations-ms" -exec cp {} /analysis/jumplists/auto/ \; # Extract CustomDestinations find /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/ \ -name "*.customDestinations-ms" -exec cp {} /analysis/jumplists/custom/ \;
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| JLECmd | Eric Zimmerman | Free | CSV / JSON | Industry standard; parses both Auto and Custom destinations; resolves AppIDs |
| JumpListExplorer | Eric Zimmerman | Free | GUI | GUI companion to JLECmd; visual inspection of Jump List entries |
| python-olefile | Philippe Lagadec | Open source | Python API | Low-level OLE compound file parsing; useful for custom scripting |
| Autopsy | Sleuth Kit | Open source | GUI + export | Built-in Jump List parser in Recent Activity module |
| KAPE + JLECmd | Kroll / Zimmerman | Free | CSV | Automated collection and parsing pipeline |
Parsing with JLECmd
:: Parse all AutomaticDestinations files to CSV JLECmd.exe -d C:\Evidence\JumpLists\Auto --csv C:\Analysis\JumpLists -q :: Parse a single Jump List file with verbose output JLECmd.exe -f C:\Evidence\JumpLists\Auto\5f7b5f1e01b83767.automaticDestinations-ms --csv C:\Analysis\ :: Parse CustomDestinations JLECmd.exe -d C:\Evidence\JumpLists\Custom --csv C:\Analysis\JumpLists_Custom -q :: Output columns include: :: SourceFile, AppId, AppIdDescription, DestListVersion, :: EntryNumber, CreationTime, LastModified, Hostname, :: TargetCreated, TargetModified, TargetAccessed, :: FileSize, RelativePath, WorkingDirectory, Arguments, :: DriveType, VolumeSerialNumber, VolumeName, LocalPath, :: NetworkPath, InteractionCount
Analysis Script — Identifying Removable Media Access
import pandas as pd df = pd.read_csv('/analysis/JumpLists/JLECmd_AutomaticDestinations_Output.csv') # Filter for removable media access removable = df[df['DriveType'] == 'Removable'].copy() # Group by volume serial number to identify distinct USB devices usb_summary = removable.groupby('VolumeSerialNumber').agg( VolumeName=('VolumeName', 'first'), FileCount=('LocalPath', 'nunique'), FirstAccess=('TargetCreated', 'min'), LastAccess=('LastModified', 'max'), Applications=('AppIdDescription', lambda x: ', '.join(x.unique())) ).sort_values('LastAccess', ascending=False) print(usb_summary.to_string())
Sample Output
VolumeSerialNumber VolumeName FileCount FirstAccess LastAccess Applications
4A2B-1F8C SANDISK_USB 23 2026-01-15 09:12 2026-03-18 22:41 WinRAR, Windows Explorer, Notepad++
8C3D-7E1A BACKUP_HDD 7 2026-02-20 14:30 2026-03-01 11:15 Windows Explorer, 7-Zip
1122-AABB (none) 3 2026-03-10 16:45 2026-03-10 17:02 Windows Explorer
Retention & Persistence
| Property | Windows 7 / 8 | Windows 10 | Windows 11 |
|---|---|---|---|
| Maximum entries per AppID | ~20 (configurable via Group Policy) | ~20 default (configurable) | ~20 default (configurable) |
| Survives reboot | Yes | Yes | Yes |
| Survives target file deletion | Yes — entries remain with original path | Yes — entries remain with original path | Yes — entries remain with original path |
| Survives application uninstall | Yes — Jump List file persists on disk | Yes — Jump List file persists on disk | Yes — Jump List file persists on disk |
| Survives media disconnection | Yes — removable media entries persist | Yes — removable media entries persist | Yes — removable media entries persist |
| Purge mechanism | FIFO when max entries exceeded; oldest entries replaced | Same FIFO behavior | Same FIFO behavior |
| DestList version | Version 1 | Version 3 (added access count, new timestamp fields) | Version 4 |
The default maximum of ~20 entries per application can be modified via Group Policy (Computer Configuration > Administrative Templates > Start Menu and Taskbar > Number of recent items to display in Jump Lists). Setting this to 0 disables Jump Lists entirely. In practice, many organizations do not configure this policy, leaving the default intact. Older entries are replaced on a first-in-first-out basis when the maximum is reached.
Anti-Forensics Resilience
Jump Lists occupy an intermediate position in anti-forensics resilience. They are more resilient than browser history and Recycle Bin entries, but less resilient than SRUM.db because some cleanup tools do target the Recent directory.
| Tool | Clears Jump Lists? | Explanation |
|---|---|---|
| CCleaner | Partial | Recent Documents cleanup clears the Recent folder but may not delete AutomaticDestinations and CustomDestinations subdirectories in all configurations |
| Windows Disk Cleanup | No | Does not target user profile AppData directories |
| BleachBit | Yes (if configured) | Has a “Recent document list” cleaner that targets Jump List directories |
| Privacy Eraser | Partial | Some versions target Jump List directories; depends on configuration |
| “Clear activity history” (Windows Settings) | Yes | Windows 10/11 Settings > Privacy > Activity History > Clear clears Jump List entries |
| Manual deletion of Recent folder | Partial | Deleting Recent clears LNK files but may not clear AutomaticDestinations subdirectory |
| Prefetch cleanup | No | Prefetch and Jump Lists are independent subsystems |
| SDelete / cipher /w | No (active files) | Cannot target active user-profile files; only affects free space or specified targets |
Most users who clear their “Recent files” through the Windows Start Menu right-click clear are only removing the LNK files in %AppData%\Microsoft\Windows\Recent\. The AutomaticDestinations and CustomDestinations subdirectories are separate filesystem locations that are not cleared by this action. Many cleanup guides and even some cleanup tools miss these subdirectories entirely.
MITRE ATT&CK Detection Mapping
Jump List data provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | Jump List Evidence |
|---|---|---|
T1005 T1005 | Data from Local System | Jump List entries showing access to sensitive local files; access count and timestamps prove repeated collection |
T1074 T1074 | Data Staged | WinRAR/7-Zip Jump List entries pointing to staging directories on removable media or temp folders |
T1039 T1039 | Data from Network Shared Drive | UNC paths in Jump List LNK data proving access to network file shares; NetBIOS names identify target servers |
T1021.001 T1021.001 | Remote Desktop Protocol | mstsc.exe Jump List entries recording RDP connection targets with hostnames/IPs |
T1052 T1052 | Exfiltration Over Physical Medium | Jump List entries with DriveType=Removable proving data was accessed from/staged to removable media |
T1070 T1070 | Indicator Removal | Jump List entries surviving after target file deletion, Recycle Bin cleanup, and browser history clearing |
Related Artifacts & Cross-References
Corroborating Artifacts
| Artifact | Relationship to Jump Lists | Cross-Correlation Value |
|---|---|---|
| LNK Files (Recent) | Standalone shortcuts in the Recent folder; contain similar but independent LNK metadata | LNK files may be cleared while Jump List entries persist; compare for completeness |
| ShellBags | Records folder navigation in Explorer | ShellBags prove directory browsing; Jump Lists prove file opening within those directories |
| Prefetch | Confirms application execution | Prefetch proves the application ran; Jump Lists prove which files it accessed |
| $MFT / $UsnJrnl | File system metadata and change journal | $MFT timestamps corroborate Jump List file access times; $UsnJrnl shows file operations |
| UserAssist (NTUSER.DAT) | Records GUI program execution with timestamps and run counts | UserAssist confirms the application was launched; Jump Lists show which files were opened |
| SRUM.db | Network usage per application | If files were accessed over the network, SRUM can show data transfer volumes for the same application |
| SYSTEM\MountedDevices | Maps volume serial numbers to device identifiers | Cross-reference Jump List volume serial numbers to identify specific physical USB devices |
References
- Eric Zimmerman, “JLECmd — Jump List Explorer Command Line” — https://ericzimmerman.github.io/
- Microsoft, “[MS-SHLLINK]: Shell Link Binary File Format” — https://learn.microsoft.com
- Harlan Carvey, “Windows Forensic Analysis Toolkit, 4th Edition” — Jump Lists chapter
- SANS Institute, “Jump List Forensics” — https://www.sans.org/blog/
- 13Cubed, “Windows Jump Lists for DFIR” — https://www.13cubed.com/blog
- ForensicArtifacts.com, “Jump Lists Artifact Definition” — https://github.com/ForensicArtifacts/artifacts
- Microsoft, “[MS-CFB]: Compound File Binary File Format” — https://learn.microsoft.com
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in Jump List analysis, insider threat investigations, and evidence recovery from user activity artifacts when standard artifacts have been destroyed.
mjolnirsecurity.com — 24/7: +1 833 403 5875