Jump Lists

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

Description

Application-specific Jump List files (.automaticDestinations-ms) recording recently and frequently accessed files per application, with timestamps and full file paths including network shares.

Forensic Value

Jump Lists persist evidence of file access even after the files themselves are deleted. They record full UNC paths for network shares, directly supporting data exfiltration investigations by showing which remote file shares a user accessed and when. The embedded LNK metadata within each entry provides additional MAC timestamps and volume serial numbers.

Tools Required

KAPEJLECmd (Eric Zimmerman)JumpList Explorer

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target JumpLists

JLECmd

JLECmd.exe -d "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\output --csvf JumpLists.csv

PowerShell

Copy-Item "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*" -Destination C:\output\JumpLists\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1039T1005

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote