A forensic insight into Windows 10 Jump Lists

The records maintained by Jump Lists have the potential to provide a rich source of evidence about users’ historic activity to the forensic investigator. The structure and artifacts recorded by Jump Lists have been widely discussed in various forensic communities since its debut in Microsoft Windows 7. However, this feature has more capabilities to reveal evidence in Windows 10, due to its modified structure. There is no literature published on the structure of Jump Lists in Windows 10 and the tools that can successfully parse the Jump Lists in Windows 7/8, do not work properly for Windows 10. In this paper, we have identified the structure of Jump Lists in Windows 10 and compared it with Windows 7/8. Further, a proof-of-concept tool called JumpListExt (Jump List Extractor) is developed on the basis of identified structure that can parse Jump Lists in Windows 10, individually as well as collectively. Several experiments were conducted to detect anti-forensic attempts like evidence destruction, evidence modification and evidence forging carried out on the records of Jump Lists. Furthermore, we demonstrated the type of artifacts recorded by Jump Lists of four popular web browsers with normal and private browsing mode. Finally, the forensic capability of Jump Lists in Windows 10 is demonstrated in terms of activity timeline constructed over a period of time using Jump Lists.