Quick Access is part of File Explorer in Windows 10 and 11. It replaced the classic "Favorites" pane, which was present in Windows 7. Quick Access gives immediate access to Desktop, Downloads, Documents, and recently used files and folders from the navigation pane. Users can remove items from Quick access or set a folder to show up in Quick access. Thus, the primary purpose of Quick Access is to enhance users' experience.
Quick Access is stored as a "Jump List" binary type. In windows, File explorer privacy settings are set to store recent items in Quick Access. Therefore, analyzing Quick Access gives valuable information about the usage characteristics of the operating system and the most frequently accessed files and folders.
As mentioned earlier, the Quick Access artifact is stored in a jump list structure. In order to parse it, we must first identify the appid and then follow the jump list binary to collect details of the artifact. The default location of Quick Access is
C:\Users\[UserProfile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
This section will discuss how to use ArtiFast to extract Quick Access artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select the Windows Quick Access artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Quick Access artifact in ArtiFast.
Windows Quick Access Artifact
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com