Difference between revisions of "Liblnk"

From ForensicsWiki
Jump to: navigation, search
 
(3 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
   genre = {{Analysis}} |
 
   genre = {{Analysis}} |
 
   license = {{LGPL}} |
 
   license = {{LGPL}} |
   website = [http://code.google.com/p/liblnk/ code.google.com/p/liblnk/] |
+
   website = [https://github.com/libyal/liblnk/ github.com/libyal/liblnk/] |
 
}}
 
}}
  
Line 22: Line 22:
  
 
<pre>
 
<pre>
lnkinfo 20110711
+
lnkinfo 20150617
  
 
Windows Shortcut information:
 
Windows Shortcut information:
        Contains a link target identifier
+
Contains a link target identifier
        Contains a description string
+
Contains a description string
        Contains a working directory string
+
Contains a working directory string
        Contains an environment variables block
+
Contains an environment variables block
  
 
Link information:
 
Link information:
        Creation time                   : Aug 10, 2004 16:54:24.000000 UTC
+
Creation time : Aug 10, 2004 16:54:24.000000000 UTC
        Modification time               : Aug 04, 2004 14:00:00.000000 UTC
+
Modification time : Aug 04, 2004 14:00:00.000000000 UTC
        Access time                     : Jun 26, 2006 10:36:41.703125 UTC
+
Access time : Jun 26, 2006 10:36:41.703125000 UTC
        Local path                     : C:\WINDOWS\system32\calc.exe
+
File size : 114688 bytes
        Description                     : @%SystemRoot%\system32\shell32.dll,-22531
+
File attribute flags : 0x00000020
        Working directory               : C:\WINDOWS\system32
+
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
        Environment variables location : %SystemRoot%\system32\calc.exe
+
Drive type : Fixed (3)
 +
Drive serial number : 0xc868f004
 +
Volume label : System
 +
Local path : C:\WINDOWS\system32\calc.exe
 +
Description : @%SystemRoot%\system32\shell32.dll,-22531
 +
Working directory : C:\WINDOWS\system32
 +
Environment variables location : %SystemRoot%\system32\calc.exe
 +
 
 +
Link target identifier:
 +
Shell item list
 +
Number of items : 5
 +
 
 +
Shell item: 1
 +
Item type : Root folder
 +
Class type indicator : 0x1f (Root folder)
 +
Shell folder identifier : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
Shell folder name : My Computer
 +
 
 +
Shell item: 2
 +
Item type : Volume
 +
Class type indicator : 0x2f (Volume)
 +
Volume name : C:\
 +
 
 +
Shell item: 3
 +
Item type : File entry
 +
Class type indicator : 0x31 (File entry: Directory)
 +
Name : WINDOWS
 +
Modification time : Dec 17, 2006 20:55:44
 +
File attribute flags : 0x00000010
 +
Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
Extension block: 1
 +
Signature : 0xbeef0004 (File entry extension)
 +
Long name : WINDOWS
 +
Creation time : Feb 01, 2006 21:49:46
 +
Access time : Dec 17, 2006 20:55:48
 +
 
 +
Shell item: 4
 +
Item type : File entry
 +
Class type indicator : 0x31 (File entry: Directory)
 +
Name : system32
 +
Modification time : Nov 26, 2006 19:56:54
 +
File attribute flags : 0x00000030
 +
Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
Extension block: 1
 +
Signature : 0xbeef0004 (File entry extension)
 +
Long name : system32
 +
Creation time : Feb 01, 2006 21:49:46
 +
Access time : Dec 17, 2006 20:49:46
 +
 
 +
Shell item: 5
 +
Item type : File entry
 +
Class type indicator : 0x32 (File entry: File)
 +
Name : calc.exe
 +
Modification time : Aug 04, 2004 14:00:00
 +
File attribute flags : 0x00000020
 +
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
Extension block: 1
 +
Signature : 0xbeef0004 (File entry extension)
 +
Long name : calc.exe
 +
Creation time : Aug 10, 2004 16:54:24
 +
Access time : Jun 26, 2006 10:36:42
  
 
Distributed link tracking data:
 
Distributed link tracking data:
Line 45: Line 106:
 
         Birth droid volume identifier  : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 
         Birth droid volume identifier  : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 
         Birth droid file identifier    : 00000000-1111-2222-3333-444444444444
 
         Birth droid file identifier    : 00000000-1111-2222-3333-444444444444
 
 
</pre>
 
</pre>
  
Line 57: Line 117:
 
== External Links ==
 
== External Links ==
  
* [http://code.google.com/p/liblnk/ Project site]
+
* [https://github.com/libyal/liblnk/ Project site]
* [http://liblnk.sourceforge.net Old project site]
+
 
 +
[[Category:Libyal]]

Latest revision as of 05:57, 24 August 2015

liblnk
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: github.com/libyal/liblnk/

The liblnk package contains a library and applications to read the Windows Explorer Shortcut (LNK) format.

Tools

The liblnk package contains the following tools:

  • lnkinfo, which shows information about LNK files.

Examples

Requesting the information in a LNK file:

lnkinfo Calculator.lnk
lnkinfo 20150617

Windows Shortcut information:
	Contains a link target identifier
	Contains a description string
	Contains a working directory string
	Contains an environment variables block

Link information:
	Creation time			: Aug 10, 2004 16:54:24.000000000 UTC
	Modification time		: Aug 04, 2004 14:00:00.000000000 UTC
	Access time			: Jun 26, 2006 10:36:41.703125000 UTC
	File size			: 114688 bytes
	File attribute flags		: 0x00000020
		Should be archived (FILE_ATTRIBUTE_ARCHIVE)
	Drive type			: Fixed (3)
	Drive serial number		: 0xc868f004
	Volume label			: System
	Local path			: C:\WINDOWS\system32\calc.exe
	Description			: @%SystemRoot%\system32\shell32.dll,-22531
	Working directory		: C:\WINDOWS\system32
	Environment variables location	: %SystemRoot%\system32\calc.exe

Link target identifier:
	Shell item list
		Number of items		: 5

	Shell item: 1
		Item type		: Root folder
		Class type indicator	: 0x1f (Root folder)
		Shell folder identifier	: 20d04fe0-3aea-1069-a2d8-08002b30309d
		Shell folder name	: My Computer

	Shell item: 2
		Item type		: Volume
		Class type indicator	: 0x2f (Volume)
		Volume name		: C:\

	Shell item: 3
		Item type		: File entry
		Class type indicator	: 0x31 (File entry: Directory)
		Name			: WINDOWS
		Modification time	: Dec 17, 2006 20:55:44
		File attribute flags	: 0x00000010
			Is directory (FILE_ATTRIBUTE_DIRECTORY)
	Extension block: 1
		Signature		: 0xbeef0004 (File entry extension)
		Long name		: WINDOWS
		Creation time		: Feb 01, 2006 21:49:46
		Access time		: Dec 17, 2006 20:55:48

	Shell item: 4
		Item type		: File entry
		Class type indicator	: 0x31 (File entry: Directory)
		Name			: system32
		Modification time	: Nov 26, 2006 19:56:54
		File attribute flags	: 0x00000030
			Is directory (FILE_ATTRIBUTE_DIRECTORY)
			Should be archived (FILE_ATTRIBUTE_ARCHIVE)
	Extension block: 1
		Signature		: 0xbeef0004 (File entry extension)
		Long name		: system32
		Creation time		: Feb 01, 2006 21:49:46
		Access time		: Dec 17, 2006 20:49:46

	Shell item: 5
		Item type		: File entry
		Class type indicator	: 0x32 (File entry: File)
		Name			: calc.exe
		Modification time	: Aug 04, 2004 14:00:00
		File attribute flags	: 0x00000020
			Should be archived (FILE_ATTRIBUTE_ARCHIVE)
	Extension block: 1
		Signature		: 0xbeef0004 (File entry extension)
		Long name		: calc.exe
		Creation time		: Aug 10, 2004 16:54:24
		Access time		: Jun 26, 2006 10:36:42

Distributed link tracking data:
        Machine identifier              : hostname
        Droid volume identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Droid file identifier           : 00000000-1111-2222-3333-444444444444
        Birth droid volume identifier   : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Birth droid file identifier     : 00000000-1111-2222-3333-444444444444

History

Liblnk was created by Joachim Metz in 2009, while working for Hoffmann Investigations.

See Also

External Links