Difference between pages "LNK" and "Unix"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
Microsoft Windows Shortcut Files
+
'''Unix''' or '''UNIX''' is a general-purpose multi-user [[operating system]] developed mostly by [[Ken Thompson]] and [[Dennis Ritchie]] during 1969 at [[Bell Labs]]. About one year later during the early 1970s UNIX was unveiled to the general public. The original goal as it is today was to create a stable, secure, and powerful operating system that is portable to many different hardware platforms.
  
== File Format ==
+
Today UNIX has evolved into three main categories which all flavors of UNIX derive from: [[BSD]] (Berkley Software Distribution), [[System V]] Release 4, and hybrid. Some of the most poplar flavors of UNIX are: [[IBM]]’s [[AIX]], [[Sun Microsystems]]' [[Solaris]], [[SGI]]’s [[IRIX]], [[Linux]], [[OpenBSD]], and [[FreeBSD]].
 
+
The Windows Shortcut file has the extension .lnk.
+
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
+
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
+
 
+
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
+
 
+
== Metadata ==
+
 
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
+
<pre>
+
Linked file information:
+
Creation time : Jul 26, 2009 14:44:34 UTC
+
Modification time : Jul 26, 2009 14:44:34 UTC
+
Access time : Aug 12, 2010 06:41:50 UTC
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
+
</pre>
+
 
+
* The [[Shell Item]] list of the target;
+
* The size of the target when it was last accessed;
+
* Serial number of the volume where the target was stored;
+
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
+
* Network volume share name;
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
+
* MAC address of the host computer (sometimes);
+
* Distributed link tracking information, e.g.
+
 
+
<pre>
+
Distributed link tracker information:
+
Machine identifier string          : mysystem
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
+
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
</pre>
+
  
 
== External Links ==
 
== External Links ==
  
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations], by [[Harry Parsonage]], September 2008
+
* [http://upload.wikimedia.org/wikipedia/commons/5/50/Unix_history-simple.png Wikipedia: Time Line of UNIX]
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
+
* [http://blog.eukhost.com/2006/11/30/linux-flavors: Unix Flavours]
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
+
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
+
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
 
+
== Tools ==
+
* [http://jafat.sourceforge.net/files.html jafat]; free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
+
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
+
* [[liblnk]]
+
* [http://code.google.com/p/lnk-parser/ lnk-parser]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser]; free tool that can be run on Windows, Linux or Mac OS-X
+
  
[[Category:File Formats]]
+
=== File permissions ===
 +
* [http://content.hccfl.edu/pollock/aunix1/filepermissions.htm Unix File and Directory Permissions and Modes], by Wayne Pollock, 2001

Revision as of 03:41, 1 December 2013

Unix or UNIX is a general-purpose multi-user operating system developed mostly by Ken Thompson and Dennis Ritchie during 1969 at Bell Labs. About one year later during the early 1970s UNIX was unveiled to the general public. The original goal as it is today was to create a stable, secure, and powerful operating system that is portable to many different hardware platforms.

Today UNIX has evolved into three main categories which all flavors of UNIX derive from: BSD (Berkley Software Distribution), System V Release 4, and hybrid. Some of the most poplar flavors of UNIX are: IBM’s AIX, Sun Microsystems' Solaris, SGI’s IRIX, Linux, OpenBSD, and FreeBSD.

External Links

File permissions