🔍
Windows Forensic Handbook
  • 👋Welcome
  • Artifacts by Type
    • 🗄️Registry Artifacts
      • Amcache.hve
      • Background Activity Montitor
      • Image File Execution Options Registry Keys
      • System Resource Usage Monitor (SRUM)
      • Run/RunOnce Registry Keys
      • Tracing Registry Keys
      • Services Registry Keys
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
    • 📂Filesystem Artifacts
      • USN Journal
      • Prefetch
      • AutomaticDestinations Jumplists
      • Recycle Bin $I/$R Files
      • Task Scheduler Files
      • Windows Error Reporting Files (.WER)
      • System Resource Usage Monitor (SRUM)
    • 📅Event Log Artifacts
      • Task Scheduler Operational Log
      • TerminalServices-RDPClient
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Security
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
      • System
        • Event ID 7045: Service Installed
      • Microsoft Windows Windows Firewall With Advanced Security
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • TerminalServices-LocalSessionManager
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
      • TerminalServices-RemoteConnectionManager
        • EventID 1149: User Authentication Succeeded
      • Microsoft Windows Shell Core
        • EventID 9707: Command Execution Started
      • Microsoft-Windows-PowerShell
        • EventID 4104: PowerShell Script Block Logging
  • Artifacts by Activity
    • 🏃‍♂️Execution
      • Evidence of Execution
        • Prefetch
        • Amcache.hve
        • System Resource Usage Monitor (SRUM)
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • Windows Error Reporting Files (.WER)
        • Tracing Registry Keys
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • First Executed
        • Prefetch
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Tracing Registry Keys
        • Task Scheduler Operational Log
        • EventID 4104: PowerShell Script Block Logging
      • Last Executed
        • Prefetch
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
      • Command Line Options
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4688: A new process has been created
        • EventID 9707: Command Execution Started
      • Execution Account
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Parent and Child Information
        • EventID 4688: A new process has been created
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • Execution Timestamp
        • Task Scheduler Operational Log
        • EventID 9707: Command Execution Started
    • 🗒️File Activity
      • File Creation
        • USN Journal
      • File Deletion
        • USN Journal
        • Recycle Bin $I/$R Files
      • Last Modified
        • USN Journal
      • File Origin
      • File Size
        • USN Journal
        • Recycle Bin $I/$R Files
      • File Path
        • USN Journal
        • Prefetch
        • Amcache.hve
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Recycle Bin $I/$R Files
        • Image File Execution Options Registry Keys
        • Task Scheduler Files
        • Windows Error Reporting Files (.WER)
        • Run/RunOnce Registry Keys
        • Services Registry Keys
        • Task Scheduler Operational Log
        • Event ID 7045: Service Installed
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • File Hash
        • Amcache.hve
    • 👨‍🔧Account Activity
      • Account Creation Time
      • Group Membership
      • Last Login
      • Login History
        • EventID 4624: An account was successfully logged on
      • Logon ID
        • EventID 4624: An account was successfully logged on
        • EventID 4688: A new process has been created
      • Relative Identifier
      • Security Identifier
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • Recycle Bin $I/$R Files
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
        • Event ID 7045: Service Installed
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Username
        • EventID 4624: An account was successfully logged on
        • AutomaticDestinations Jumplists
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
    • 🌎Network Activity
      • Evidence of Network Activity
        • Tracing Registry Keys
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Destination Identification
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Source Identification
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4624: An account was successfully logged on
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Transmit Volume
        • System Resource Usage Monitor (SRUM)
      • Firewall Activity
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 4104: PowerShell Script Block Logging
      • Wireless Activity
    • 🔍Browser Activity
      • History
        • Firefox places.sqlite Database
      • Bookmarks
        • Firefox places.sqlite Database
      • Stored Passwords/Secrets
    • 🖥️System Enumeration
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
Powered by GitBook
On this page
  • Analysis Value
  • Operating System Availability
  • Artifact Location(s)
  • Artifact Parsers
  • Artifact Interpretation
  • Execution - First Executed
  • Execution - Last Executed
  • Execution - Permissions / Account
  • Execution - Evidence of Execution
  • File - Path
  1. Artifacts by Type
  2. Filesystem Artifacts

AutomaticDestinations Jumplists

Last updated 1 year ago

AutomaticDestinations are jumplist files created by Windows when an application is launched. As these are jumplist files, they are in a binary format known as Object Linking and Embedding Compound File (OLECF). AutomaticDestinations can be thought of as containers for different LNK files from which forensic evidence may be recovered.

Jumplists are used to store common/recent locations and "tasks" on the taskbar for individual programs. From a forensic perspective they are useful in identifying files and folders that were created or accessed by users.

Analysis Value

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

✅

Server 2019

❌

Windows 10

✅

Server 2016

❌

Windows 8

✅

Server 2012

❌

Windows 7

✅

Server 2008

❌

Windows Vista

❌

Server 2003

❌

Windows XP

❌

Artifact Location(s)

  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Artifact Parsers

  • JLECmd (Eric Zimmerman)

Artifact Interpretation

Execution - First Executed

The creation time of each AutomaticDestinations file corresponds to the first known time that an application opened a file while being executed. For instance, if a user simply opens Excel, but never opens a file, there will be no AutomaticDestinations file created. If, however, they proceed to open a file (or save a new file), an AutomaticDestinations file will be created with a creation timestamp corresponding to the time the first file was opened (or a new file was saved).

Execution - Last Executed

The modification time of each AutomaticDestinations file corresponds to the last known time that an application was executed and opened a file. For instance, the modification timestamp will change under the following example set of circumstances:

  • A user navigated to a directory using explorer and opened an Excel workbook by double-clicking on it

  • A user went to Excel on the taskbar and opened an Excel workbook listed under the Recent list.

  • A user opened Excel, and then opened a workbook from within Excel.

  • A user opened Excel, and saved a new workbook from within Excel.

The timestamp will not be updated in the case that a user simply opened Excel without opening another file.

Execution - Permissions / Account

Given that the AutomaticDestinations files are stored in a user's %AppData% directory, this effectively ties execution of an application to a particular user account. For instance, if the AutomaticDestinations file for Excel exists in the following path: C:\Users\john.doe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms, this implies that the user john.doe executed Microsoft Office Excel x64.

Execution - Evidence of Execution

The presence of an AutomaticDestinations file for an application implies that the application was executed and was used to open a file or save a new file.

File - Path

Within each AutomaticDestinations file is a list of recent files that were accessed, as well as a count of how many times each file was accessed using that specific application. Alongside this is the timestamp corresponding to the last known time each file was accessed by the application.

For instance, when using JLECmd.exe (Eric Zimmerman) to analyze an AutomaticDestinations file for Excel, the following is seen:

Processing C:\Users\john.doe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms

--- AppId information ---
  AppID: b8ab77100df80ab2
  Description: Microsoft Office Excel x64

--- DestList entries ---
Entry #: 2
  MRU: 0
  Path: C:\temp\test.xlsx
  Pinned: False
  Created on:    2023-06-24 15:53:43
  Last modified: 2023-06-24 17:56:09
  Hostname: HLPC01
  Interaction count: 2

--- Lnk information ---
  Absolute path: My Computer\C:\temp\test.xlsx

This example was produced on Windows 10, Version 10.0.19044 Build 19044

We can conclude:

  • Microsoft Office Excel x64 was executed

  • C:\temp\test.xlsx existed at some point on the local disk

  • The user john.doe executed Excel and accessed C:\temp\test.xlsx

  • C:\temp\test.xlsx was opened using Microsoft Office Excel x64

  • C:\temp\test.xlsx was accessed twice using Excel

  • The last known time Excel was used to access C:\temp\test.xlsx was at 2023-06-24 17:56:09

We can gather more information given the Creation/Modification timestamps of the AutomaticDestinations file b8ab77100df80ab2.automaticDestinations-ms itself:

  • The creation timestamp of the file b8ab77100df80ab2.automaticDestinations-ms is 2022-02-12 15:22:00, indicating that (given the AutomaticDestinations files were not deleted) Excel was first used to access files at 2022-02-12 15:22:00

  • The modification timestamp of the file is 2023-06-24 17:56:09, indicating that this was the last time Excel was used to access a file. As this is the Last modified timestamp of the entry for C:\temp\test.xlsx, we can conclude this is the last known file that Excel accessed on this system, corroborated by its MRU value of 0.

As the AutomaticDestinations file is a collection of LNK files, JLECmd offers an additional option to parse these as well through the --ld flag. We can get a lot more information this way, for example, accessing a file (Y:\Documents\new.xlsx) on a mapped network share (at 192.168.0.20):

Entry #: 3
  MRU: 0
  Path: Y:\Documents\new.xlsx
  Pinned: False
  Created on:    1582-10-15 00:00:00
  Last modified: 2023-06-24 18:06:38
  Hostname:
  Mac Address: fc:0c:00:00:00:00
  Interaction count: 4

--- Lnk information ---

--- Link information ---
Flags: CommonNetworkRelativeLinkAndPathSuffix

  Network share information
    Device name: Y:
    Share name: \\192.168.0.20\Documents
    Provider type: WnncNetLanman
    Share flags: 3

  Common path: Documents\new.xlsx
  Absolute path: My Computer\Y:\Documents\new.xlsx

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In this case, the file was accessed 4 times, and the most recent time it was accessed using Excel was at 2023-06-24 18:06:38.

The file name for these artifacts are based on the AppID of the program they are related to. For example, an AutomaticDestinations entry for explorer.exe will have the prefix F01B4D95CF55D32A. Thus, the full file name would be f01b4d95cf55d32a.automaticDestinations-ms. A good resource to leverage to translate AppIDs by Eric Zimmerman can be found .

📂
First Executed
Last Executed
Execution Account
Evidence of Execution
Username
File Path
here