Forensic analysis of recently accessed files - jumplist analysis
Part of the series (1 of 3) Windows artifact analysis. When it comes to detect recently accessed files, Windows offers wide variety of artifacts which may be helpful for enlighting forensic investigations. As there are many items -so called artifacts- exist for that particular reason, one of those artifacts, which is automatically created by Windows is called jumplist. Jumplists are system artifacts that are created to keep track of recently accessed files. As those files can be viewed typing "recent" on the run command, the list which comes up might be the whole thing. Especially during forensic investigations, it is important to make sure that all the available information is collected completely. For that very reason, all jumplist files must be reached from the custodian's computer and inspected throughly. Two types of jumplists are created when user opens up a file; automatic (.automaticDestinations-ms) file and custom (.customDestinations-ms) file. The main differenc...