LNK - Revision history

Joachim Metz: /* Tools */

2013-02-10T13:47:59Z

‎Tools

2013-02-10T13:47:49Z

‎External Links

2012-07-20T05:04:28Z

‎External Links

2012-07-20T05:03:34Z

2012-03-13T19:32:13Z

‎External Links

2011-12-28T15:16:33Z

2011-12-28T15:15:42Z

2011-01-12T08:10:39Z

‎Metadata

2010-12-20T18:13:50Z

‎External Links

2010-12-20T18:11:42Z

‎External Links

@@ Line 48: / Line 48: @@
 * [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)]
-=== Tools ===
+== Tools ==
 * [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
 * [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]

@@ Line 43: / Line 43: @@
 * [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 * [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
-* [https://downloads.sourceforge.net/project/liblnk/Documentation/LNK%20file%20format/Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format ]
+* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
 * [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files]
 * [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)]
@@ Line 52: / Line 52: @@
 * [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 * [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
-* [http://sourceforge.net/projects/liblnk/ Library and tools to access the Windows Shortcut File (LNK) Format]
+* [[liblnk]]
 * [http://code.google.com/p/lnk-parser/ lnk-parser]
 [[Category:File Formats]]

@@ Line 41: / Line 41: @@
 * [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
 * [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 * [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
@@ Line 50: / Line 49: @@
 === Tools ===
 * [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 * [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]

@@ Line 41: / Line 41: @@
 * [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
 * [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
 * [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
@@ Line 50: / Line 48: @@
 * [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)]
 * [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)]
 [[Category:File Formats]]

@@ Line 48: / Line 48: @@
 * [https://downloads.sourceforge.net/project/liblnk/Documentation/LNK%20file%20format/Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format ]
 * [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files]
 [[Category:File Formats]]

@@ Line 7: / Line 7: @@
 The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
-Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump List]] files on Windows 7 and 8.
+Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on Windows 7 and 8.
 == Metadata ==

@@ Line 5: / Line 5: @@
 The Windows Shortcut file has the extension .lnk.
 It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
-The file format does not specify a specific signature, but the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
+The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
 == Metadata ==

@@ Line 18: / Line 18: @@
 </pre>
-* The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
+* The [[Shell Item]] list of the target;
 * The size of the target when it was last accessed;
 * Serial number of the volume where the target was stored;