Difference between pages "LNK" and "Liblnk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
Microsoft Windows Shortcut Files
+
{{Infobox_Software |
 +
  name = liblnk |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/liblnk/ code.google.com/p/liblnk/] |
 +
}}
  
== File Format ==
+
The '''liblnk''' package contains a library and applications to read the [[LNK|Windows Explorer Shortcut (LNK)]] format.
  
The Windows Shortcut file has the extension .lnk.
+
== Tools ==
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
+
The '''liblnk''' package contains the following tools:
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
+
* '''lnkinfo''', which shows information about LNK files.
  
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
+
== Examples ==
  
== Metadata ==
+
Requesting the information in a LNK file:
 
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
+
 
<pre>
 
<pre>
Linked file information:
+
lnkinfo Calculator.lnk
Creation time : Jul 26, 2009 14:44:34 UTC
+
Modification time : Jul 26, 2009 14:44:34 UTC
+
Access time : Aug 12, 2010 06:41:50 UTC
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
+
 
</pre>
 
</pre>
 
* The [[Shell Item]] list of the target;
 
* The size of the target when it was last accessed;
 
* Serial number of the volume where the target was stored;
 
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 
* Network volume share name;
 
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
 
* MAC address of the host computer (sometimes);
 
* Distributed link tracking information, e.g.
 
  
 
<pre>
 
<pre>
Distributed link tracker information:
+
lnkinfo 20110711
Machine identifier string          : mysystem
+
 
Droid volume identifier             : 11111111-2222-3333-4444-555555555555
+
Windows Shortcut information:
Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
        Contains a link target identifier
Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
+
        Contains a description string
Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
        Contains a working directory string
 +
        Contains an environment variables block
 +
 
 +
Link information:
 +
        Creation time                  : Aug 10, 2004 16:54:24.000000 UTC
 +
        Modification time              : Aug 04, 2004 14:00:00.000000 UTC
 +
        Access time                    : Jun 26, 2006 10:36:41.703125 UTC
 +
        Local path                      : C:\WINDOWS\system32\calc.exe
 +
        Description                    : @%SystemRoot%\system32\shell32.dll,-22531
 +
        Working directory              : C:\WINDOWS\system32
 +
        Environment variables location  : %SystemRoot%\system32\calc.exe
 +
 
 +
Distributed link tracking data:
 +
        Machine identifier             : hostname
 +
        Droid volume identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
        Droid file identifier           : 00000000-1111-2222-3333-444444444444
 +
        Birth droid volume identifier   : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
        Birth droid file identifier     : 00000000-1111-2222-3333-444444444444
 +
 
 
</pre>
 
</pre>
  
== External Links ==
+
== History ==  
  
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations], by [[Harry Parsonage]], September 2008
+
Liblnk was created by [[Joachim Metz]] in 2009, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
+
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
+
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
+
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
  
== Tools ==
+
== See Also ==
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
+
* [[LNK|Windows Shortcut File (LNK) format]]
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
+
 
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
+
== External Links ==
* [[liblnk]]
+
* [http://code.google.com/p/lnk-parser/ lnk-parser]
+
  
[[Category:File Formats]]
+
* [http://code.google.com/p/liblnk/ Project site]

Latest revision as of 14:48, 23 September 2013

liblnk
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: code.google.com/p/liblnk/

The liblnk package contains a library and applications to read the Windows Explorer Shortcut (LNK) format.

Tools

The liblnk package contains the following tools:

  • lnkinfo, which shows information about LNK files.

Examples

Requesting the information in a LNK file:

lnkinfo Calculator.lnk
lnkinfo 20110711

Windows Shortcut information:
        Contains a link target identifier
        Contains a description string
        Contains a working directory string
        Contains an environment variables block

Link information:
        Creation time                   : Aug 10, 2004 16:54:24.000000 UTC
        Modification time               : Aug 04, 2004 14:00:00.000000 UTC
        Access time                     : Jun 26, 2006 10:36:41.703125 UTC
        Local path                      : C:\WINDOWS\system32\calc.exe
        Description                     : @%SystemRoot%\system32\shell32.dll,-22531
        Working directory               : C:\WINDOWS\system32
        Environment variables location  : %SystemRoot%\system32\calc.exe

Distributed link tracking data:
        Machine identifier              : hostname
        Droid volume identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Droid file identifier           : 00000000-1111-2222-3333-444444444444
        Birth droid volume identifier   : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Birth droid file identifier     : 00000000-1111-2222-3333-444444444444

History

Liblnk was created by Joachim Metz in 2009, while working for Hoffmann Investigations.

See Also

External Links