Jump Lists

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

Description

Application-specific Jump List files (.automaticDestinations-ms) recording recently and frequently accessed files per application, with timestamps and full file paths including network shares.

Forensic Value

Jump Lists persist evidence of file access even after the files themselves are deleted. They record full UNC paths for network shares, directly supporting data exfiltration investigations by showing which remote file shares a user accessed and when. The embedded LNK metadata within each entry provides additional MAC timestamps and volume serial numbers.

Tools Required

KAPEJLECmd (Eric Zimmerman)JumpList Explorer

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical