Difference between pages "Upcoming events" and "LNK"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
(File Format)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
Microsoft Windows Shortcut Files
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
== File Format ==
  
This listing is divided into four sections (described as follows):<br>
+
The Windows Shortcut file has the extension .lnk.
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations. This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Metadata ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Apr 04, 2008
+
|http://www.ll.mit.edu/IST/RAID2008/index.html
+
|-
+
|2nd International Workshop on Computational Forensics
+
|Apr 20, 2008
+
|http://iwcf08.arsforensica.org/download/IWCF08-CFP-USletter.pdf
+
|-
+
|RECON 2008
+
|Apr 30, 2008
+
|http://recon.cx/2008/recon2008-cfp.txt
+
|-
+
|Black Hat Japan 2008 Briefings
+
|OPEN ON May 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|Black Hat USA 2008 Briefings
+
|May 14, 2008
+
|https://www.blackhat.com/html/bh-usa-08/bh-usa-08-cfp.html
+
|-
+
|4th International Conference on IT Incident Management & IT Forensics
+
|Jun 01, 2008
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2008/cfp_en.html
+
|-
+
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|Jul 06, 2008
+
|http://www.anzfss2008.org.au/content/view/56/63/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Aug 01, 2008
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|}
+
  
== Conferences ==
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
Linked file information:
! Title
+
Creation time : Jul 26, 2009 14:44:34 UTC
! Date/Location
+
Modification time : Jul 26, 2009 14:44:34 UTC
! Website
+
Access time : Aug 12, 2010 06:41:50 UTC
|-
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
|RSA Conference 2008
+
</pre>
|Apr 07-11, San Francisco, CA
+
|http://www.rsaconference.com/2008/US/Home.aspx
+
|-
+
|2008 National OPSEC Conference
+
|Apr 07-11, Denver, CO
+
|http://www.nsa.gov/ia/events/conferences/index.cfm?ConferenceID=53
+
|-
+
|USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) Botnets, Spyware, Worms, and More
+
|Apr 15, San Francisco, CA
+
|http://www.usenix.org/events/leet08/index.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Apr 23-25, Oklahoma City, OK
+
|http://www.digitalforensics-conference.org
+
|-
+
|CEIC 2008 Computer & Enterprise Investigations Conference
+
|Apr 27-30, Las Vegas, NV
+
|http://www.ceicconference.com/
+
|-
+
|Microsoft Law Enforcement Tech Conference 2008
+
|Apr 28-30, Redmond, Washington
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|May 06-08, San Francisco, CA
+
|http://htciatraining.org/general_info.asp
+
|-
+
|Fourth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW-08)
+
|May 12-14, Oak Ridge, TN
+
|http://www.ioc.ornl.gov/csiirw
+
|-
+
|Ohio HTCIA Spring Training Conference
+
|May 12-14, Lakeland Community College, OH
+
|http://www.ohiohtcia.org/conference.html
+
|-
+
|LayerOne 2008 Information Technology Conference
+
|May 17-18, Los Angeles, CA
+
|http://layerone.info
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|3rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22, Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|Gartner IT Security Summit
+
|Jun 02-04, Washington, DC
+
|http://www.gartner.com/it/page.jsp?id=507478&tab=overview
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jun 03-06, Columbia University, New York City, NY
+
|http://acns2008.cs.columbia.edu/
+
|-
+
|RECON 2008
+
|Jun 13-15, Montreal, Quebec, Canada
+
|http://recon.cx/2008/
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|17th USENIX Security Symposium
+
|Jul 28-Aug 01, San Jose, CA
+
|http://www.usenix.org/events/sec08/
+
|-
+
|Blackhat USA 2008 Briefings & Training
+
|Aug 02-07, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|2nd International Workshop on Computational Forensics
+
|Aug 07-08, Washington, DC
+
|http://iwcf08.arsforensica.org
+
|-
+
|Defcon 16
+
|Aug 08-10, Las Vegas, NV
+
|http://www.defcon.org
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
|-
+
|International Workshop on Digital Crime and Forensics in conjunction w/4th International Conference on Intelligent Information Hiding and Multimedia Signal Processing
+
|Aug 15-17, Harbin, China
+
|http://www.dcs.warwick.ac.uk/~ctli/CFP_IWDCF2008.html
+
|-
+
|11th International Symposium on Recent Advances in Intrusion Detection
+
|Sep 15-17, Cambridge, MA
+
|http://www.ll.mit.edu/IST/RAID2008/
+
|-
+
|4th International Conference on IT Incident Management & IT Forensics
+
|Sep 23-25, Mannheim,  Germany
+
|http://www.imf-conference.org/
+
|-
+
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|Oct 06-09, Melbourne, Australia
+
|http://www.anzfss2008.org.au/
+
|-
+
|2008 HTCIA International Training Conference
+
|Oct 22-28, Atlantic City, NJ
+
|http://www.htcia.org/conference.shtml
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21, Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
* The [[Shell Item]] list of the target;
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* The size of the target when it was last accessed;
|- style="background:#bfbfbf; font-weight: bold"
+
* Serial number of the volume where the target was stored;
! Title
+
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
! Date/Location or Venue
+
* Network volume share name;
! Website
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
|-
+
* MAC address of the host computer (sometimes);
|Basic Computer Examiner Course - Computer Forensic Training Online
+
* Distributed link tracking information, e.g.
|Distance Learning Format
+
 
|http://www.cftco.com
+
<pre>
|-
+
Distributed link tracker information:
|Linux Data Forensics Training
+
Machine identifier string          : mysystem
|Distance Learning Format
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
|http://www.crazytrain.com/training.html
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
|-
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
|SANS On-Demand Training
+
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
|Distance Learning Format
+
</pre>
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
 
|-
+
== External Links ==
|MaresWare Suite Training
+
 
|First full week every month, Atlanta, GA
+
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
|http://www.maresware.com/maresware/training/maresware.htm
+
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
|-
+
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
|Evidence Recovery for Windows Vista&trade;
+
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
|First full week every month, Brunswick, GA
+
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
|http://www.internetcrimes.net
+
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
|-
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
|Evidence Recovery for Windows Server&reg; 2003 R2
+
 
|Second full week every month, Brunswick, GA
+
== Tools ==
|http://www.internetcrimes.net
+
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
|-
+
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
|Evidence Recovery for the Windows XP&trade; operating system
+
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
|Third full week every month, Brunswick, GA
+
* [[liblnk]]
|http://www.internetcrimes.net
+
* [http://code.google.com/p/lnk-parser/ lnk-parser]
|-
+
 
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
[[Category:File Formats]]
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
==[[Scheduled Training Courses]]==
+

Revision as of 13:42, 23 September 2013

Microsoft Windows Shortcut Files

File Format

The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

  • MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links

Tools