Difference between pages "DeepSpar Disk Imager" and "LNK"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Great article. Just cleaned up the formatting and added a category)
 
(File Format)
 
Line 1: Line 1:
The DeepSpar Disk Imager is a hardware, drive to drive, data recovery imaging device. It makes use of a fairly standard PC system but connects directly to the source drive (the drive being imaged.) Through this hardware connection, it is able to command the source drive on a low ATA register level. It thus bypasses normal BIOS calls to the hard drive. Standard BIOS / hard drive operations will not allow the retrieval of damaged or corrupted sectors as it would invariably cause a system (OS) failure. For data recovery purposes however, it is important to be able to access any available data.
+
Microsoft Windows Shortcut Files
  
[[Image:DeepSpardiskimager.jpg|frame|DeepSpar Disk Imager Kit]]
+
== File Format ==
  
Additionally, the DeepSpar Disk Imager controls the power input of the source drive so that it can, if required, re-power the source without rebooting the system. (This is significant with highly unstable drives that will continually “hang.”)
+
The Windows Shortcut file has the extension .lnk.
 +
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
 +
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
  
To control and pre-configure the source drive, the DeepSpar Disk Imager makes use of specific ATA commands [http://www.t13.org] as well as some vendor specific commands. This includes the ability to read sectors while ignoring [[Error Correction Code |ECC errors]] as well as the ability to send software and hardware reset commands to the drive which creates the ability to control “read timeout.” (Read timeout is a user defined amount of time in milliseconds that the hard drive will be given to read any particular sector. If the read timeout is reached before the sector is correctly read, it will be skipped. The imager then marks in its “map” that the sector was skipped so that it can be reprocessed on later passes.)
+
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
  
Through the tool’s software interface, the end user is able to configure all parameters and commands that they wish the imager to use over multiple imaging passes. As previously mentioned, the DeepSpar Disk Imager stores a “map” of all the sectors from the source drive. This map allows the imager to always remember which sectors have been imaged, which were skipped, and which had errors etc. This in turn allows the imager to run multiple passes without reprocessing sectors that had been previous read correctly. It also allows the imager run imaging passes to target specific sector errors.
+
== Metadata ==
  
Unlike forensics tools, the DeepSpar Disk Imager does not create an [[Raw image file|image file]]. Instead, it uses commands and techniques to image all sectors on the source drive directly to the destination drive. The image drive can then be used by any data retrieval or forensics software for file recovery or forensics investigation.
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
 +
<pre>
 +
Linked file information:
 +
Creation time : Jul 26, 2009 14:44:34 UTC
 +
Modification time : Jul 26, 2009 14:44:34 UTC
 +
Access time : Aug 12, 2010 06:41:50 UTC
 +
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
 +
</pre>
 +
 
 +
* The [[Shell Item]] list of the target;
 +
* The size of the target when it was last accessed;
 +
* Serial number of the volume where the target was stored;
 +
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 +
* Network volume share name;
 +
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
 +
* MAC address of the host computer (sometimes);
 +
* Distributed link tracking information, e.g.
 +
 
 +
<pre>
 +
Distributed link tracker information:
 +
Machine identifier string          : mysystem
 +
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
 +
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
 +
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
</pre>
  
 
== External Links ==
 
== External Links ==
* [http://www.driveimager.com/ Official website]
 
* [http://www.deepspar.com/pdf/DeepSparDiskImager.pdf Product data sheet]
 
* [http://www.deepspar.com/mjm-ds-disk-imager.html Review of the DeepSpar Disk Imager] by Mike Montgomery of MJM Data Recovery in the UK.
 
* ''[http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery]'', a whitepaper on the product
 
  
[[Category:Disk imaging tools]]
+
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
 +
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 +
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
 +
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
 +
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
 +
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
 +
 
 +
== Tools ==
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
 +
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 +
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
 +
* [[liblnk]]
 +
* [http://code.google.com/p/lnk-parser/ lnk-parser]
 +
 
 +
[[Category:File Formats]]

Revision as of 13:42, 23 September 2013

Microsoft Windows Shortcut Files

File Format

The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

  • MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links

Tools