Recovery of Forensic Artifacts from Deleted Jump Lists

Jump lists, which were introduced in the Windows 7 desktop operating system, have attracted the interest of researchers and practitioners in the digital forensics community. The structure and forensic implications of jump lists have been explored widely. However, little attention has focused on anti-forensic activities such as jump list evidence modification and deletion. This chapter proposes a new methodology for identifying deleted entries in the Windows 10 AutoDest type of jump list files and recovering the deleted entries. The proposed methodology is best suited to scenarios where users intentionally delete jump list entries to hide evidence related to their activities. The chapter also examines how jump lists are impacted when software applications are installed and when the associated files are accessed by external storage devices. In particular, artifacts related to file access, such as the lists of most recently used and most frequently used files, file modification, access and creation timestamps, names of applications used to access files, file paths, volume names and serial numbers from where the files were accessed, can be recovered even after entries are removed from the jump lists and the software applications are uninstalled. The results demonstrate that the analysis of jump lists is immensely helpful in constructing the timelines of user activities on Windows 10 systems.