Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Link File & Jump List Parser

This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification V2, which was released on the 14th December 2011.

The script will parse the streams contained in 'lnk', 'customDestinations-ms' and 'automaticDestinations-ms' files specified by the user.

The 'customDestinations-ms' and 'automaticDestinations-ms' files are used to implement the jump-lists introduced with Windows 7.

Jump-lists extend the functionality of menu-items shown on the Windows start menu and task bar.

Jump-lists allow for additional application-control options but their forensic significance lies in the fact that they track recent file-activity over a significant length of time. This may include activity not tracked by other areas of the operating system, the shortcut link files maintained in a user's 'Recent' folder for instance.

Jump-lists also contain information that may enable the examiner to identify exactly which applications have been used to open a particular file.

The 'automaticDestinations-ms' file is a compound file as defined by the Microsoft [MS-CFB] Compound Binary File specification document. Shortcut-link streams stored in these files each have a name that is an index number in hex format.

Each 'automaticDestinations-ms' file will also contain one additional stream called 'DestList'. This is believed to act as a most-recently-used (MRU) index-list and will contain an entry for each sibling. This entry will contain a Windows DATETIME stamp, which usually represents the time the associated item was last opened.

The exact format of the 'customDestinations-ms' file isn't known but research has shown it to contain a concatenated list of shortcut-link streams.

Both the 'automaticDestinations-ms' and 'customDestinations-ms' are named using an application ID or hash that links their content to a particular application, process or function.

Lists of application IDs are available for download from the Internet. This script contains an embedded, tab-delimited application-ID list called 'Jump List App ID List.txt' created using the information available at the following URL on the 5th of February 2015 -

When this script is executed, it will extract a copy of the embedded application-ID-list into the same folder as itself provided that a file of the same name doesn't already exist.

The embedded application-ID list is provided as a convenience and is used at the examiner's own risk. The list can be edited as needed or another list used in its place. Using an application-ID list is not obligatory.

The output of the script is in the form of a tab-delimited spreadsheet file that can be opened using Microsoft Excel or another compatible application. Note that a small amount of additional formatting may be necessary if any values in the output file aren't displayed correctly.

Download Now

Version: 3.0.1
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact




WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key