Home > Digital Forensics

RDP, Prefetch, LNK, Jump Lists

Remote Desktop Protocol (RDP), Prefetch files, LNK shortcuts, and Jump Lists are four of the most important artifacts in Windows forensics. They provide clear evidence of user activity, remote access, program execution, file access, and navigation history. Understanding how each artifact works and where it is stored helps investigators build accurate timelines and detect suspicious behavior on a Windows system.

This chapter explains each artifact in detail, along with storage paths, forensic value, and analysis methods.

RDP (Remote Desktop Protocol) Forensics

RDP artifacts help determine if someone accessed the system remotely. Attackers frequently use RDP for lateral movement or unauthorized access, making these artifacts critical.

Key RDP Indicators

1. Successful & Failed Login Events

Found in:
Security.evtx

Important event IDs:

  • 4624 (Logon Type 10) – Successful RDP login

  • 4625 – Failed login attempt

  • 4648 – Logon using explicit credentials

  • 4778 – RDP session reconnect

  • 4779 – RDP session disconnect

These events reveal login attempts, success/failure status, and timestamps.

2. RDP Cache Files

Location:
C:\Users\<User>\AppData\Local\Microsoft\Terminal Server Client\Cache\

Files here store:

  • Remote desktop thumbnails

  • Cached images of remote sessions

Useful when identifying accessed remote systems.

3. Default.rdp File

Location:
C:\Users\<User>\Documents\Default.rdp

Contains:

  • Last connection settings

  • Hostnames/IP addresses

  • Screen resolution

Useful for pinpointing last used RDP target.

4. Firewall Logs & Network Logs

RDP default port: 3389

Firewall logs show inbound and outbound RDP connections.

Prefetch Forensics

Prefetch files store evidence of program execution.
Every time a program starts, Windows creates or updates a .pf file.

Prefetch Location

C:\Windows\Prefetch\

Example:
NOTEPAD.EXE-2F17B2CE.pf

What Prefetch Contains

  • Program name

  • Number of executions

  • Last execution timestamp

  • Execution count

  • List of files accessed during launch

  • DLL dependencies

Why Prefetch Is Valuable

  • Confirms execution of malware or suspicious programs

  • Shows when the program was executed

  • Reveals related files and dependencies

  • Helps in timeline reconstruction

Note: Prefetch may be disabled on servers (common in Windows Server OS).

LNK (Shortcut) Files

LNK files record details about files opened by the user.
They are automatically created when a file is opened via Windows Explorer.

LNK File Location

C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\

File extension: .lnk

What LNK Files Contain

  • Full path of the target file

  • Creation, modification, access times

  • File size

  • Volume serial number

  • Drive information

  • Relative paths

  • Working directory

  • Arguments used to open files

Forensic Value

  • Shows which files were accessed

  • Useful when original files are deleted

  • Reveals file movement across devices

  • Helps identify exfiltration or document access

Jump Lists

Jump Lists record recent files opened by specific applications.
They are more detailed than LNK files and provide app-by-app history.

Jump List Locations

C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\

What Jump Lists Contain

  • Recently opened files

  • File paths

  • Application usage patterns

  • Timestamps

  • Frequent files list

  • Per-application history

Jump List Structure

Jump Lists are stored in:

  • .automaticDestinations-ms files

  • .customDestinations-ms files

They are SQLite-style or custom binary formats containing:

  • Accessed file paths

  • Timestamps

  • Application identifiers (AppID)

Forensic Uses

  • Tracks file opening even if history is cleared

  • Maps usage to specific applications

  • Helps reconstruct chronology

  • Reveals hidden or deleted file activity

Combining RDP, Prefetch, LNK, and Jump Lists

These four artifacts intersect to create a full user activity timeline.

Example Correlation

  1. RDP Logon (4624 Type 10) → Shows remote access

  2. Prefetch entry for malware.exe → Confirms program execution

  3. LNK file for secret.docx → Shows user opened a specific file

  4. Jump List entry → Shows which app opened the file and when

Together, they create powerful, traceable evidence linking user actions, remote connections, and file access.

Analysis Tools

Common tools for analyzing these artifacts:

  • Eric Zimmerman's RECmd, JLECmd, LECmd, EvtxECmd

  • FTK Imager

  • Autopsy

  • X-Ways Forensics

  • KAPE

  • NirSoft utilities

  • Plaso / Log2Timeline

These tools convert raw artifacts into readable, timeline-friendly formats.

Summary

RDP, Prefetch, LNK files, and Jump Lists are among the most critical user activity artifacts on a Windows system.
They reveal:

  • Remote access attempts and sessions

  • Program execution history

  • Files accessed or opened

  • Application-level file interaction

Forensic investigators rely on these artifacts to reconstruct activity timelines, detect suspicious behavior, and attribute actions to specific users or attackers. Understanding and correlating these artifacts is essential for effective Windows forensic analysis.

HOME COMMUNITY CAREERS DASHBOARD