Jump Lists vs ShellBags vs Prefetch: Which Artifact Answers What
The mistake is asking "what does this artifact contain" instead of "what question does this artifact answer." Containers overlap. Questions do not. When a case lands on your desk it arrives as a question, usually one of three: did this user open this file, did this user run this program, did this user go looking through these folders. Different artifacts, and reaching for the wrong one wastes hours.
This is the map I keep in my head. It is opinionated about what each source is actually good for, not a feature checklist.
"Did the user open this file?"
Start with Jump Lists. They record files opened through a participating application, and uniquely among the common artifacts they carry the NetBIOS hostname of the machine that held the file at access time, which is why they earn their keep in lateral-movement work. The limits are real though: one DestList entry stores only the last access to that target, not the full history, and a Jump List only exists for applications that talk to the shell's recent-items machinery. Plenty of software opens files without ever generating one. The DFIR walkthrough covers the field set in detail.
The Recent LNK folder (%AppData%\Microsoft\Windows\Recent) overlaps heavily, individual shortcut files for recently touched items, parseable down to the embedded target path and the LNK header timestamps. Broader application coverage than Jump Lists in some cases, but no per-app grouping and no access count.
Then corroboration. UserAssist in NTUSER.DAT (read it with the registry parser) confirms a GUI launch happened and tracks focus time. The USN journal is the file system's own record that the target existed and was created, modified, or deleted at a given time. None of these alone is "the user opened this file." Stacked, they are hard to argue with.
"Did the user run this program?"
This is Prefetch territory, not Jump Lists. Prefetch records execution: that a binary ran, the run count, the first and last eight run times on modern Windows, and the files and directories the process touched during startup. If the question is execution, Prefetch is the primary source and Jump Lists are at best a weak corroborator.
People conflate these because a Jump List implies its owning application ran. True, but indirectly, and you do not get a run count or a clean execution timeline out of it. For the execution story you want Prefetch plus UserAssist plus AmCache and ShimCache, the last two of which prove a binary was present and known to the system even when it was never executed, which is a different and sometimes more important fact.
A practical wrinkle: Prefetch can be disabled, and frequently is on SSD-era images and on servers. When it is off, the execution question leans harder on AmCache, the SRUM database for application resource usage, and the launch evidence in Jump Lists and UserAssist. So Jump Lists move up the priority list precisely when Prefetch is missing.
"Did the user browse these folders?"
ShellBags, and nothing else does this job well. ShellBags persist Explorer's per-folder view state, which means they record that a folder was navigated to in Explorer, including its name and position, and they survive the folder being deleted or the volume being unmounted. A ShellBag entry for a folder that no longer exists is one of the cleaner proofs that something was there and someone looked at it. They live in UsrClass.dat and NTUSER.DAT, so the registry parser is your tool.
What ShellBags do not give you is file-level access. They are about folders and navigation, not about which document inside the folder got opened. That is the handoff back to Jump Lists and Recent LNK.
Where they overlap, and where they lie to you
The overlap is real and useful: a removable drive plugged in, files opened off it, and folders browsed on it will leave traces in Jump Lists (target path plus volume label), ShellBags (the folders), and Prefetch (anything executed from it). Three independent artifacts converging on the same volume GUID and the same window of time is a strong correlation, and correlation across independent sources is the whole game.
The blind spots are where cases go wrong:
- Jump Lists keep only the last access per target, so "opened once" is an artifact limitation, not a fact about the user.
- Prefetch counts can be reset and the artifact disabled, so absence proves nothing.
- ShellBags can be created by automated or programmatic folder access, not just a human clicking through Explorer, so "the user browsed here" sometimes overstates it.
- All of them are user-clearable to varying degrees, and a cleared artifact has its own tell. For Jump Lists specifically, see the timeline and anti-forensics post.
The short version
If the question is files, lead with Jump Lists and Recent LNK, corroborate with UserAssist and the USN journal. If the question is execution, lead with Prefetch, corroborate with AmCache, ShimCache, and SRUM. If the question is navigation, ShellBags, and accept they will not tell you what got opened. Most real cases are all three questions at once, which is why these artifacts are worth knowing as a set rather than in isolation.
Drop a Jump List on the homepage to parse it client-side, and the rest of the forensic parser tools cover the other artifacts in this post.