Blog >> Jump Lists

Investigating Jump Lists

10/12/2021 Friday

Jump Lists feature was first introduced with Windows 7 and continued in later versions of Windows systems including Windows 11. The feature is designed to provide the user with quick access to recently accessed application files and common tasks.

Digital Forensics Value of Jumplist Artifacts

The records maintained by Jump Lists are considered an important source of evidentiary information during investigations. The analysis of Jump List files can provide valuable information about users’ historic activity on the system such as file creation, access and modification. Examiners can utilize data extracted from Jump List files to construct a timeline of user activities. What makes this artifact more valuable is the fact that the information is maintained on the system long after the source file and application have ceased to exist on the system.

Location and Structure of Jumplist Artifacts

In Windows systems, two types of Jump Lists can be created:

Each file consists of 16-digit hexadecimal number which is the AppID (Application Identifier) followed by automaticDestinations-ms or customDestinations-ms extension. Note that these files are hidden and navigating through Windows Explorer will not reveal them even if you turned on hidden items in Windows Explorer. They can be viewed by entering the full path in Windows Explorer address bar.


The AutomaticDestinations Jump List files are located in the following directory: These Jump List files are created automatically when the users open a file or an application. The files are Microsoft Compound File Binary (CFB) file format, also referred to as OLE (Object Linking and Embedding) files. These files contain streams of individual hexadecimal numbered SHLLINK streams and a DestList stream.


The CustomDestinations Jump List files are located in the following directory: These are custom made Jump Lists, created when a user pins a file or an application to the Taskbar or Start Menu. The structure of these files is different from AutomaticDestinations Jump List files; it follows a structure of sequential MS-SHLLINK binary format.

Analyzing Jumplist Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze Jumplist artifact from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Jumplist artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Jumplist artifacts in ArtiFast Windows.

Jumplist Automatic Destinations Artifact

Jumplist Custom Destinations Artifact

For more information or suggestions please contact: