Eye Describe Anatomy

Custom Jump Lists Anatomy

Proprietary Sequential Binary format analysis for user-pinned items.

Live Byte Selection

Select any field in the map to reveal a deep forensic dive.

What are Custom Jump Lists?

Custom Jump Lists (.customDestinations-ms) use a proprietary binary format rather than the OLE Compound File format used by Automatic Destinations. They are essentially a sequential concatenation of Windows Shortcut (LNK) files packaged with a simple framing layer.

Binary Layout: There is no DestList stream, no OLE directory, and no structured index. The parser scans the raw bytes linearly, looking for Category Headers followed by the 20-byte LNK Magic Signature, until it hits the final 0xBABFFBAB footer.

Forensic Value: Because they lack a DestList, forensic timelines rely entirely on the payload inside the embedded LNK entries. These entries provide massive value: MAC timestamps, MFT Entry/Sequence numbers (IDList), Volume Serial Numbers & Drive Types (Link Info), Command-Line arguments (String Data), and Tracker NetBIOS/MAC data (ExtraData blocks).

Full Logical Dissection Reference

Offset Size Field Name Forensic Meaning & Value

Category Header Definitions

Identifier Category Name Meaning
0x00000000 Custom Category App-supplied category. A 2-byte name length and UTF-16LE category name follow (e.g. "Pinned", a project name, "Tasks"), then a 4-byte LNK entry count and the LNK payloads.
0x00000001 Known Category Built-in Windows category. A 4-byte KnownCategoryType sub-value follows: 1 = Frequent, 2 = Recent, 3 = Tasks. No name; the OS renders a localised title.
0x00000002 Tasks Category (legacy) Older shape kept for back-compat. Skips the name fields — a 4-byte LNK entry count follows directly, then the LNK payloads.

LNK Carving & Footer

LNK Magic Signature (20 Bytes):
4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46
Because LNK entries lack explicit length prefixes, tools scan for this exact sequence to carve out shortcuts.

Footer (0xBABFFBAB):
Stored as AB FB BF BA in little-endian. Marks the absolute end of the list. If missing, the file was truncated or the system crashed.

AppID Hash (Application Identity)

The Application Identity (AppID) is not explicitly stored inside the Custom Destinations binary format. Instead, the filename itself is the hex representation of the AppID (e.g., 1b4dd67f29cb1962.customDestinations-ms).

AppID Hash Target Application
1b4dd67f29cb1962 Windows Explorer
f01b4d95cf55d32a Command Prompt (cmd.exe)
5d696d521ea23821 Google Chrome
From reading to doing

Surface user intent with Crow-Eye

Crow-Eye extracts pinned and custom destinations and decodes their embedded LNK metadata, turning Custom Jump Lists into clear evidence of deliberate, user-driven file access.

Download Crow-Eye