Difference between pages "Gzip" and "LNK"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Tools)
 
Line 1: Line 1:
{{expand}}
+
Microsoft Windows Shortcut Files
  
== File format ==
+
== File Format ==
The gzip file (.gz) format consists of:
+
* a file header
+
* optional headers
+
** extra fields
+
** original file name
+
** comment
+
** header checksum
+
* compressed data (commonly used compression method DEFLATE, without zlib header)
+
* a file footer
+
  
{| class="wikitable"
+
The Windows Shortcut file has the extension .lnk.
! align="left"| Characteristics
+
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
! Description
+
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
|-
+
| Byte order
+
| little-endian
+
|-
+
| Date and time values
+
| Filetime in UTC
+
|-
+
| Character string
+
| ISO 8859-1 (LATIN-1)
+
|}
+
  
=== File header ===
+
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
The file header is 10 bytes in size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
| 0x1f 0x8b
+
| Signature (or identification byte 1 and 2)
+
|-
+
| 2
+
| 1
+
|
+
| Compression Method
+
|-
+
| 3
+
| 1
+
|
+
| Flags
+
|-
+
| 4
+
| 4
+
|
+
| Last modification time <br> Contains a POSIX timestamp.
+
|-
+
| 8
+
| 1
+
|
+
| Compression flags (or extra flags)
+
|-
+
| 9
+
| 1
+
|
+
| Operating system <br> Value that indicates on which operating system the gzip file was created.
+
|}
+
  
==== Compression method ====
+
== Metadata ==
  
{| class="wikitable"
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
! align="left"| Value
+
<pre>
! Identifier
+
Linked file information:
! Description
+
Creation time : Jul 26, 2009 14:44:34 UTC
|-
+
Modification time : Jul 26, 2009 14:44:34 UTC
| 0 - 7
+
Access time : Aug 12, 2010 06:41:50 UTC
|
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
| Reserved
+
</pre>
|-
+
| 8
+
| deflate
+
| deflate compressed data
+
|}
+
  
==== Flags ====
+
* The [[Shell Item]] list of the target;
 +
* The size of the target when it was last accessed;
 +
* Serial number of the volume where the target was stored;
 +
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 +
* Network volume share name;
 +
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
 +
* MAC address of the host computer (sometimes);
 +
* Distributed link tracking information, e.g.
  
{| class="wikitable"
+
<pre>
! align="left"| Value
+
Distributed link tracker information:
! Identifier
+
Machine identifier string          : mysystem
! Description
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
|-
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
| 0x01
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
| FTEXT
+
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
+
</pre>
|-
+
| 0x02
+
| FHCRC
+
| The file contains a header checksum (CRC-16)
+
|-
+
| 0x04
+
| FEXTRA
+
| The file contains extra fields
+
|-
+
| 0x08
+
| FNAME
+
| The file contains an original file name string
+
|-
+
| 0x10
+
| FCOMMENT
+
| The file contains comment
+
|-
+
| 0x20
+
|
+
| Reserved
+
|-
+
| 0x40
+
|
+
| Reserved
+
|-
+
| 0x80
+
|
+
| Reserved
+
|}
+
  
<b>Notes:</b>
+
== External Links ==
* Reserved flags bits must be zero.
+
* The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
+
  
==== Compression flags ====
+
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations], by [[Harry Parsonage]], September 2008
This value contains flags specific to the compression method.
+
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
 
+
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
===== Compression flags - deflate =====
+
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
If compression method value is 8 (deflate) the following compression flags can be used:
+
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
{| class="wikitable"
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0x02
+
|
+
| compressor used maximum compression, slowest algorithm
+
|-
+
| 0x04
+
|
+
| compressor used fastest algorithm
+
|}
+
 
+
==== Operating System ====
+
{| class="wikitable"
+
! align="left"| Value
+
! Identifier
+
! Description
+
|-
+
| 0
+
|
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
+
|-
+
| 1
+
|
+
| Amiga
+
|-
+
| 2
+
|
+
| VMS (or OpenVMS)
+
|-
+
| 3
+
|
+
| Unix
+
|-
+
| 4
+
|
+
| VM/CMS
+
|-
+
| 5
+
|
+
| Atari TOS
+
|-
+
| 6
+
|
+
| HPFS filesystem (OS/2, NT)
+
|-
+
| 7
+
|
+
| Macintosh
+
|-
+
| 8
+
|
+
| Z-System
+
|-
+
| 9
+
|
+
| CP/M
+
|-
+
| 10
+
|
+
| TOPS-20
+
|-
+
| 11
+
|
+
| NTFS filesystem (NT)
+
|-
+
| 12
+
|
+
| QDOS
+
|-
+
| 13
+
|
+
| Acorn RISCOS
+
|-
+
| 255
+
|
+
| unknown
+
|}
+
 
+
=== Optional headers ===
+
==== Extra fields ====
+
This value is present in the file if the FEXTRA flag is set in the file header flags.
+
 
+
The extra field are variable of size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
|
+
| Extra field data size <br> Value in bytes.
+
|-
+
| 2
+
| ...
+
|
+
| Extra field data
+
|}
+
 
+
==== Original file name ====
+
This value is present in the file if the FNAME flag is set in the file header flags.
+
 
+
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
+
 
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
+
 
+
==== Comment ====
+
This value is present in the file if the FCOMMENT flag is set in the file header flags.
+
 
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
+
 
+
==== Header checksum ====
+
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
+
 
+
=== File footer ===
+
The file footer is 8 bytes in size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
|
+
| Checksum (CRC-32)
+
|-
+
| 4
+
| 4
+
|
+
| Uncompressed data size <br> Value in bytes.
+
|}
+
 
+
== See Also ==
+
* [[bzip2]]
+
 
+
== External Links ==
+
  
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
+
== Tools ==
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
+
* [http://jafat.sourceforge.net/files.html jafat]; free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
+
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
+
* [[liblnk]]
 +
* [http://code.google.com/p/lnk-parser/ lnk-parser]
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser]; free tool that can be run on Windows, Linux or Mac OS-X
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 08:03, 30 November 2013

Microsoft Windows Shortcut Files

Contents

File Format

The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

  • MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links

Tools