Jumplists

Windows Jumplists files track opened files via applications in the Taskbar or Start Menu. Jumplists are actually a collection of embedded Shortcut files and therefore can show evidence of file interaction.

There are two (2) types of Jumplist files:

• Custom - Files that are pinned to Taskbar applications
• Automatic - Files that are not pinned to Taskbar applications

Other parsers:

• Jumplist Explorer

References:

• Libyal
• Zimmerman blog

TOML Collection

system = "windows"

[output]
name = "jumplists_collection"
directory = "./tmp"
format = "jsonl"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "jumplists"
[artifacts.jumplists]
# Optional
# alt_drive = 'C'

Collection Options

• alt_drive Expects a single character value. Will use an alternative drive letter when parsing Jumplists. This configuration is optional. By default artemis will use the %systemdrive% value (typically C)

Output Structure

An array of Jumplists entries

export interface Jumplists {
  /**Path to Jumplist file */
  path: string;
  /**Jupmlist type. Custom or Automatic */
  jumplist_type: string;
  /**Application ID for Jumplist file */
  app_id: string;
  /**Metadata associated with Jumplist entry */
  jumplist_metadata: DestEntries;
  /**Shortcut information for Jumplist entry */
  lnk_info: Shortcut;
}

/**
 * Metadata associated with Jumplist entry
 */
interface DestEntries {
  /**
   * Digital Record Object Identification (DROID) used to track lnk file
   */
  droid_volume_id: string;
  /**
   * Digital Record Object Identification (DROID) used to track lnk file
   */
  droid_file_id: string;
  /**
   * Digital Record Object Identification (DROID) used to track lnk file
   */
  birth_droid_volume_id: string;
  /**
   * Digital Record Object Identification (DROID) used to track lnk file
   */
  birth_droid_file_id: string;
  /**Hostname associated with Jumplist entry */
  hostname: string;
  /**Jumplist entry number */
  entry: number;
  /**Modified timestamp of Jumplist entry in UNIXEPOCH seconds */
  modified: number;
  /**Status if Jumplist entry is pinned. `Pinned` or `NotPinned` */
  pin_status: string;
  /**Path associated with Jumplist entry */
  path: string;
}