Advanced JumpLists/RecentDocs Analysis

Beyond the basic shell:recent folder, Windows maintains more persistent records of user interactions with files and applications through its Jump Lists feature. Designed to provide quick access to recently used items specific to applications (e.g., recent documents in Word, recent servers in Remote Desktop), Jump Lists store their data in dedicated files within the user's profile, typically located at %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ (containing .automaticDestinations-ms files generated automatically based on usage) and %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\ (containing .customDestinations-ms files, often populated by user pinning or application developers). Forensically, these Jump List files are significant because they often persist even if the user clears the standard shell:recent folder or associated RecentDocs registry keys (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs). Analyzing these .automaticDestinations-ms and .customDestinations-ms files can reveal a more robust history of file and folder access, potentially including interactions with renamed or extensionless files, and provide timestamps embedded within their structure. Specialized tools like JumpList Explorer (Eric Zimmerman) are designed to parse these complex file formats. Additionally, LECmd (Eric Zimmerman) can parse the individual .lnk shortcut files found not only in shell:recent but also embedded within Jump List data, extracting detailed metadata about the linked targets.