What can a forensic analyst learn from Jump Lists?

The target path of each opened file, the last-access timestamp and access count, and the NetBIOS hostname of the machine that originally held the file.

Do Jump Lists record file access from network shares?

Yes. The DestList stream stores the originating NetBIOS hostname for every entry, which makes Jump Lists a strong source for tracking remote file access and lateral movement.

How do I parse a Jump List file?

Use Eric Zimmerman's JLECmd for command-line triage, or drop the file on the Jump List Parser homepage to decode it in the browser without uploading.

Can a user delete their Jump List history?

Yes — Taskbar Settings has a toggle to clear recent items, which truncates the per-AppID file. Windows then recreates it on the next interactive use, so absence of older entries is itself an indicator.

Jump List Forensics: A Practical DFIR Walkthrough

Jump Lists give a DFIR analyst a per-application, per-user record of file access: the full target path of each opened item, the last-access FILETIME and a monotonic access counter, the NetBIOS hostname of the machine that originally held the file, the pinned state, the application identity via its AppID, and a volume ID that can tie an entry back to a specific removable drive. Everything below is the workflow to get that data out and into a report.

What evidence Jump Lists yield

Target path of the opened item (local, UNC, or removable).
Last-access timestamp (FILETIME, UTC) and a per-entry access count.
Originating NetBIOS hostname recorded at the time of access.
Pinned state — was this item user-pinned to the Jump List.
AppID, which deterministically identifies the launching application.
Volume ID and volume label from the embedded LNK, useful for removable media correlation.
MAC times and file size of the target as observed when the LNK was written.

A 5-step DFIR workflow

Acquire. Pull %AppData%\Microsoft\Windows\Recent\AutomaticDestinations and the sibling CustomDestinations folder for each user profile. Work from a forensic image or a VSS copy — the live files are typically locked by Explorer. KAPE has a target for this; otherwise robocopy /b from a mounted shadow copy works.
Triage. List the AppIDs (filenames minus the extension) and map them to applications. Use the AppID list shipped with Eric Zimmerman's JLECmd as your reference; anything unmapped is worth a closer look because custom and portable apps generate their own AppIDs.
Parse. Extract every numbered LNK stream and the DestList rows. JLECmd produces CSV; Plaso/log2timeline emits timeline events; Autopsy surfaces them in its ingest results. For one-off review without moving the artifact off the analyst workstation, drop the file on the in-browser parser — it runs client-side and never uploads.
Correlate. Line up DestList access timestamps with the user's interactive session timeline: Security log 4624/4634 for logon and logoff, the UserAssist registry key for GUI launches, and Prefetch for process execution. Memory artifacts via Volatility can confirm the application was actually resident at the time.
Report. Cite each finding by source file, stream number, and DestList entry ID — for example, 1b4dd67f29cb1962.automaticDestinations-ms, stream 7, DestList entry 0x12. Reproducibility is what makes the finding hold up.

Cross-host evidence: the hostname field

Every DestList row carries the NetBIOS hostname of the machine where the target file was opened from. On a workstation that mounts shares from multiple servers, this field reveals which server held each opened document — without needing the server's own logs. In lateral-movement investigations, a Jump List on a compromised host frequently contains the attacker's staging server name long after the share has been unmounted.

Common pitfalls

FILETIME is 100-nanosecond intervals since 1601-01-01 UTC. Converting to Unix epoch requires subtracting 11644473600 seconds after dividing by 10^7; off-by-one-day errors here are the most common source of bad timelines.
DestList versions differ between Windows 7 (version 1) and Windows 10+ (version 3 and 4). Row sizes and field offsets change — older parsers will silently misalign on newer hosts.
Some applications (Office, Explorer) pin items aggressively and bump access counts on background indexing, so a high count is not by itself proof of repeated user interaction.
Taskbar Settings has a "Show recently opened items" toggle. Disabling it truncates the per-AppID files. The files are recreated on next use, so unexpectedly short DestLists are an indicator worth noting.

Drop a Jump List file on the parser homepage to see all of this without sending data anywhere.