Investigating Quick Access
14/10/2022 Friday
Quick Access is part of File Explorer in Windows 10 and 11. It replaced the classic "Favorites" pane, which was present in Windows 7. Quick Access gives immediate access to Desktop, Downloads, Documents, and recently used files and folders from the navigation pane. Users can remove items from Quick access or set a folder to show up in Quick access. Thus, the primary purpose of Quick Access is to enhance users' experience.
Digital Forensics Value of Quick Access
Quick Access is stored as a "Jump List" binary type. In windows, File explorer privacy settings are set to store recent items in Quick Access. Therefore, analyzing Quick Access gives valuable information about the usage characteristics of the operating system and the most frequently accessed files and folders.
Location and Structure of Quick Access Artifact
As mentioned earlier, the Quick Access artifact is stored in a jump list structure. In order to parse it, we must first identify the appid and then follow the jump list binary to collect details of the artifact. The default location of Quick Access is
C:\Users\[UserProfile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Analyzing Quick Access Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Quick Access artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select the Windows Quick Access artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Quick Access artifact in ArtiFast.
Windows Quick Access Artifact
- Application ID
- Application Name
- Destination List Version
- Last Used Entry Number
- MRU - Most Recently Used.
- Entry Number
- Host Name
- MAC Address
- Path - Path of the entry item.
- Interaction Count
- Pin Status - Whether the user pinned the file (true/false).
- File Birth Droid
- File Droid
- Volume Birth Droid
- Volume Droid
- File Size
- Relative Path
- File Attributes - File attributes(read, write, read-only).
- Header Flags
- Drive Type
- Volume Serial Number
- Volume Label
- Local Path
- Common Path
- Extra Blocks Present
- Tracker Created Date/Time
- Entry Accessed Date/Time
- Entry Created Date/Time
- Source Accessed Date/Time
- Source Modified Date/Time
- Source Created Date/Time
- Target Accessed Date/Time
- Target Modified Date/Time
- Target Created Date/Time
For more information or suggestions please contact: [email protected]
