Lifer - Windows link file forensic examiner

A forensic tool for Windows link file examinations (i.e. Windows shortcuts)

'lifer' is a Windows or *nix command-line tool inspired by the whitepaper 'The Meaning of Link Files in Forensic Examinations' by Harry Parsonage and available here. It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it's usefulness and publish it so that others can benefit.
The information extracted is in accordance with the Microsoft Open Specification Document 'MS-SHLLNK' which can be found online here. At the time of writing most parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
  • Relevant output from IDList containers (which need reverse engineering - see 'IDLIST.txt')
  • Recognition of, and parsing of link file data within jump list (OLE) containers.


Details of the files to be found in the Test directory and how to use them is given in the '.\Test\Tests.txt' file. What follows is a brief outline...
Once you have installed the tool, open a command-line shell (e.g. bash or Powershell) and from the './lifer/src' directory type:
lifer -s ./Test/Test1.lnk
This should give the output:
LINK FILE -------------- .\Test\Test1.lnk
  Last Accessed:       2017-04-18 20:28:19 (UTC)
  Last Modified:       2017-04-18 20:28:19 (UTC)
  Last Changed:        2017-04-18 20:28:19 (UTC)

  {S_2.1 - ShellLinkHeader}
    Attributes:          0x00000020   FILE_ATTRIBUTE_ARCHIVE
    Creation Time:       2008-09-12 20:27:17 (UTC)
    Access Time:         2008-09-12 20:27:17 (UTC)
    Write Time:          2008-09-12 20:27:17 (UTC)
    Target Size:         0 bytes
  {S_2.3 - LinkInfo}
    {S_2.3.1 - LinkInfo - VolumeID}
      Drive Type:        DRIVE_FIXED
      Drive Serial No:   307A8A81
      Volume Label:      [EMPTY]
      Local Base Path:   C:\test\a.txt
  {S_2.4 - StringData}
    {S_2.4 - StringData - RELATIVE_PATH}
      Relative Path:     .\a.txt
    {S_2.4 - StringData - WORKING_DIR}
      Working Dir:       C:\test
  {S_2.5 - ExtraData}
    {S_2.5.10 - ExtraData - TrackerDataBlock}
      MachineID:         chris-xps
      Droid1:            {94C77840-FA47-46C7-B356-5C2DC6B6D115}
      Droid2:            {7BCD46EC-7F22-11DD-9499-00137216874A}
        UUID Sequence:     153
        UUID Time:         2008-09-10 10:23:17 (UTC)
        UUID Node (MAC):   00:13:72:16:87:4A
A more fulsome output (including more accurate timestamps) can be obtained by omitting the '-s' option.
The most detail about a link file can be gleaned by using the '-i' option which will print known details about any idlist objects too. This option is not compatible with the '-s' option.
All the link files in a directory (folder) can be parsed by just passing the name of the directory:
lifer ./Test/WinXP
(for brevity the output has not been shown).
The most useful output for a number of link files can be created by sending the output as a tab (or comma) separated list to a file that can then be imported into a spreadsheet for analysis at your leisure. This can be achieved like this:
lifer -o tsv ./Test/WinXP > WinXP.tsv
lifer -so tsv ./Test/WinXP > WinXP.tsv
for a file that has some of the superfluous and uninteresting data redacted.
Powered by Blogger.