Following on from the previous [DFIR TOOLS] posts.
- [DFIR TOOLS] Timeline Explorer, what is it & how to use!
- [DFIR TOOLS] AmcacheParser, what is it & how to use
- [DFIR TOOLS] AppCompatCacheParser, what is it & how to use!
- [DFIR TOOLS] bstrings, what is it & how to use!
- [DFIR TOOLS] EvtxECmd, what is it & how to use!
- [DFIR TOOLS] Hasher, what is it & how to use!
First lets see what JumpLists are?
Jump Lists are a feature in Microsoft Windows that provide quick access to recently used files, tasks, and specific actions associated with a particular application or program. They were introduced in Windows 7 and have been present in subsequent versions of the operating system.
Here’s how Jump Lists work and what they offer:
- Quick Access to Recent Items: Jump Lists are typically associated with icons on the Windows taskbar, Start menu, or the taskbar notification area. When you right-click on an icon, a context menu called the Jump List appears. This list displays recently opened files or tasks related to that specific application. For example, if you right-click on the Microsoft Word icon, you might see a list of recently opened Word documents.
- Pinned Items: You can also pin items to a Jump List, which means you can add specific files or tasks to the list for easy access. These pinned items remain on the list even if they are not the most recently used items.
- Common Tasks: Jump Lists often include common tasks or actions associated with the application. These tasks can vary depending on the program but might include options like creating a new document, opening a new window, or accessing settings.
- Customization: Some applications allow you to customize their Jump Lists. For example, in the case of web browsers like Microsoft Edge or Google Chrome, you might find options to quickly open your favorite websites or bookmarks.
- Privacy and Security: Jump Lists respect privacy and security settings. If you have sensitive documents you don’t want others to see, make sure to manage your Jump List settings and clear recent items as needed.
Jump Lists are designed to streamline your workflow by providing quick access to frequently used files and tasks without the need to open the application first. They can be particularly useful for improving productivity and efficiency in your daily computing tasks.
Introduction to JLECmd
JLECmd is a powerful tool created by Eric Zimmerman for parsing JumpList files on Windows. JumpLists are native to the Windows operating system and can provide valuable insights into file access history. This tool is particularly useful for digital forensics and incident response professionals, as well as law enforcement and the private sector, for investigating file access and user activity.
Use Cases
Law Enforcement: JLECmd can be used by law enforcement agencies to parse JumpLists, providing valuable evidence of file access attributed to specific user accounts. This information can be crucial in criminal investigations, revealing when a file was last accessed.
Private Sector: In the private sector, JLECmd is a valuable tool for parsing JumpLists to determine file access by specific user accounts. It can be used alongside other forensic artifacts like Shellbags and LNK files to investigate unauthorized access and threat actor activity.
JLECmd Switches
JLECmd provides various command-line switches to customize its behavior. Below is a list of the most commonly used switches:
- -f <file>: Specifies the JumpList file to process (required).
- -d <directory>: Specifies the directory to recursively process (required).
- –all: Processes all files in the directory, not just files with specific extensions.
- –csv <csv>: Saves results in CSV format to the specified directory (required unless using –json or –de).
- –csvf <csvf>: Specifies the name of the CSV file to save results (overrides default).
- –json <json>: Saves results in JSON format to the specified directory. Use –pretty for a more human-readable lout.
- –html <html>: Saves results in XHTML format to the specified directory (be sure to include the full path in double quotes).
- –pretty: When exporting to JSON, uses a more human-readable layout.
- -q: Only shows the filename being processed instead of all output (useful for speeding up exporting to JSON or CSV).
- –ld: Includes more information about LNK files.
- –fd: Includes full information about LNK files; alternatively, you can use –dumpTo and process with LECmd.
- –appIds <appIds>: Path to a file containing AppIDs and descriptions (appid|description format). New appIds are added to the built-in list.
- –dumpTo <dumpTo>: Specifies the directory to save exported LNK files.
- –dt <dt>: Sets the custom date/time format to use when displaying timestamps.
- –mp: Displays higher precision for timestamps.
- –withDir: Shows the contents of directories not accounted for in DestList entries.
- –debug: Shows debug information during processing.
- –trace: Shows trace information during processing.
- –version: Displays the tool’s version information.
- -?, -h, –help: Shows help and usage information.
JLECmd Command Examples
Here are some examples of how to use JLECmd for various tasks:
Parse a single JumpList and view results in the console:
.\JLECmd.exe -d C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent –all
Parse a single JumpList and output results to CSV at a specified location:
.\JLECmd.exe -f C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent-\0f84c0223414a84ccaae529c25147153a7c12b6427bb9e00d2f2219118657baf.zip.lnk –csv C:\Tools\net6\JLECmd
Parse a single JumpList, output to JSON in pretty format:
.\JLECmd.exe -f C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent-\0f84c0223414a84ccaae529c25147153a7c12b6427bb9e00d2f2219118657baf.zip.lnk –json C:\Tools\net6\JLECmd –pretty
Parse a directory, output to CSV at a specified location, output to HTML at a specified location, and output to XML while only showing the filename being processed (used to speed up processing):
JLECmd.exe -d “C:\Temp” –csv “c:\temp” –html c:\temp –xml c:\temp\xml -q
Parse all files in a directory (regardless of presence of .JumpList extension):
.\JLECmd.exe -d C:\Users\Muldwych\Downloads –all
Parse a JumpList and include LNK details:
.\JLECmd.exe -f C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent-\20231008092234_LECmd_Output.csv.lnk –ld
Parse a JumpList and include full LNK file details:
\JLECmd.exe -f C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent-\20231008092234_LECmd_Output.csv.lnk –fd
Parse a JumpList, customize AppIDs, and specify a custom date/time format:
\JLECmd.exe -f C:\Users\Muldwych\AppData\Roaming\Microsoft\Windows\Recent-\20231008092234_LECmd_Output.csv.lnk –appIds “C:\temp\AppIDs.txt” –dt “yyyy-MM-dd HH:mm:ss”
These examples should help you get started with using JLECmd to parse JumpList files and analyze the resulting data. JLECmd is a versatile tool that can be tailored to various forensic and investigative needs.
Additional Resources
For more information and updates about JLECmd, you can visit Eric Zimmerman’s GitHub repository: https://github.com/EricZimmerman/JLECmd.
Disclaimer
JLECmd is a powerful forensic tool, and its usage should comply with all legal and ethical guidelines. Always obtain proper authorization before using it for investigations, and ensure you have the necessary permissions to access and analyse the relevant data.