Abstract
Windows 10 Jump List and Link File Artifacts - Saved, Copied and Moved
Highlights
Since Windows 7, Jump Lists and LNK Files have been a valuable source for computer user activity to forensic investigators.Windows users can create shortcut files on the systems they use
Shortcut files are most often referred to as Link files by forensic analysts based on their .lnk file extension
Windows 10 Jump List and LNK Files continue to be a source for forensic analysts to document user file and folder activity
Summary
Since Windows 7, Jump Lists and LNK Files have been a valuable source for computer user activity to forensic investigators. The Microsoft Word Jump List entries were created or updated (Last Access Date/Time) when the original file was opened from its original location, and when the newly saved file to the new device location was saved. Quick Access Jump List entries for the newly saved file location recorded different data based on the file type: For Microsoft Word files, the target file created timestamp, modified timestamp, and the target file size were not recorded. Windows 10 did not create LNK Files for any of the following user activities: The opening of folders ‘X-Ways Forensics 19.9’ from the Dell XPS desktop and access to the Z: drive (DS218+ server). In the Session Three test, the analysis of LNK files and Jump List entries reflect those two artifacts report similar data for files which are opened and saved using a different name on a different device. Control-Enter to select Interview.docx and Desktop_Excel_SaveAs.xls x files
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have