Difference between pages "LNK" and "Blogs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
(Challenges (and test images))
 
Line 1: Line 1:
Microsoft Windows Shortcut Files
+
[[Computer forensics]] related resources like: blogs, fora, tweets, tools and challenges (and test images).
  
== File Format ==
+
= Blogs =
  
The Windows Shortcut file has the extension .lnk.
+
== English ==
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
+
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
+
  
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on [[Windows 7]] and [[Windows 8|8]].
+
* [http://www.appleexaminer.com/ The Apple Examiner]
 +
* [http://computer.forensikblog.de/en/ Computer Forensics Blog], by [[Andreas Schuster]]
 +
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
 +
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
 +
* [http://windowsir.blogspot.com/ Windows Incident Response Blog], by [[Harlan Carvey]]
 +
* [http://geschonneck.com/ Computer Forensics Blog], by [[Alexander Geschonneck]]
 +
* [http://forensicblog.org/ Computer Forensics Blog], by [[Michael Murr]]
 +
* [http://forenshick.blogspot.com/ Forensic news, Technology, TV, and more], by [[Jordan Farr]]
 +
* [http://unixsadm.blogspot.com/ UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems], by [[Criveti Mihai]]
 +
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
 +
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Computer Forensic Glossary Blog, HOWTOs and other resources], by [[Andrew Hoog]]
 +
* [http://secureartisan.wordpress.com/ Digital Forensics with a Focus on EnCase], by [[Paul Bobby]]
 +
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
 +
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
 +
* [http://integriography.wordpress.com Computer Forensics Blog], by [[David Kovar]]
 +
* [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves], by [[Jesse Kornblum]]
 +
* [http://computer-forensics.sans.org/blog SANS Computer Forensics and Incident Response Blog by SANS Institute]
 +
* [http://www.digitalforensicsource.com Digital Forensic Source]
 +
* [http://dfsforensics.blogspot.com/ Digital Forensics Solutions]
 +
* [http://forensicaliente.blogspot.com/ Forensicaliente]
 +
* [http://www.ericjhuber.com/ A Fistful of Dongles]
 +
* [http://gleeda.blogspot.com/ JL's stuff]
 +
* [http://4n6k.blogspot.com/ 4n6k]
 +
* [http://justaskweg.com/ JustAskWeg], by [[Jimmy Weg]]
 +
* [http://blog.kiddaland.net/ IR and forensic talk], by [[Kristinn Gudjonsson]]
 +
* [http://c-skills.blogspot.ch/ c-skills], by [[Sebastian Krahmer]]
 +
* [http://sketchymoose.blogspot.ch/ Sketchymoose's Blog]
 +
* [http://www.swiftforensics.com/ All things forensic and security related], by [[Yogesh Khatri]]
  
== Metadata ==
+
=== Windows ===
 +
* [http://blogs.msdn.com/b/ntdebugging/ ntdebugging - Advanced Windows Debugging and Troubleshooting]
  
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
+
== Dutch ==
<pre>
+
Linked file information:
+
Creation time : Jul 26, 2009 14:44:34 UTC
+
Modification time : Jul 26, 2009 14:44:34 UTC
+
Access time : Aug 12, 2010 06:41:50 UTC
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
+
</pre>
+
  
* The [[Shell Item]] list of the target;
+
* [http://stam.blogs.com/8bits/ 8 bits], by [[Mark Stam]] (also contain English articles otherwise use [http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])
* The size of the target when it was last accessed;
+
* Serial number of the volume where the target was stored;
+
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
+
* Network volume share name;
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
+
* MAC address of the host computer (sometimes);
+
* Distributed link tracking information, e.g.
+
  
<pre>
+
== French ==
Distributed link tracker information:
+
Machine identifier string          : mysystem
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
+
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
</pre>
+
  
== External Links ==
+
* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
  
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations], by [[Harry Parsonage]], September 2008
+
== German ==
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
+
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
+
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
+
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
  
== Tools ==
+
* [http://computer.forensikblog.de/ Computer Forensik Blog Gesamtausgabe], by [[Andreas Schuster]] ([http://computer.forensikblog.de/en/ English version])
* [http://jafat.sourceforge.net/files.html jafat]; free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
+
* [http://computer-forensik.org computer-forensik.org], by [[Alexander Geschonneck]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
+
* [http://henrikbecker.blogspot.com Digitale Beweisführung], by [[Henrik Becker]] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [[liblnk]]
+
* [http://code.google.com/p/lnk-parser/ lnk-parser]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser]; free tool that can be run on Windows, Linux or Mac OS-X
+
  
[[Category:File Formats]]
+
== Spanish ==
 +
 
 +
* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
* [http://www.inforenses.com InForenseS], by [[Javier Pages]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
* [http://windowstips.wordpress.com El diario de Juanito]
 +
* [http://conexioninversa.blogspot.com Conexión inversa]
 +
 
 +
== Russian ==
 +
 
 +
* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]
 +
 
 +
= Related blogs =
 +
 
 +
* [http://www.c64allstars.de C64Allstars Blog]
 +
* [http://www.emergentchaos.com/ Emergent Chaos], by [[Adam Shostack]]
 +
* [http://jeffjonas.typepad.com/ Inventor of NORA discusses privacy and all things digital], by [[Jeff Jonas]]
 +
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking], by [[Golden G. Richard III]]
 +
 
 +
= Circles/Fora/Groups =
 +
* [http://forensicfocus.com/ Forensic Focus]
 +
* [http://tech.groups.yahoo.com/group/win4n6 Yahoo! groups: win4n6 · Windows Forensic Analysis]
 +
 
 +
= Tweets =
 +
* [http://twitter.com/#!/search/%23DFIR?q=%23DFIR #DFIR]
 +
* [http://twitter.com/#!/search/%23forensics #forensics]
 +
 
 +
= Tools =
 +
* [http://www2.opensourceforensics.org/ Open Source Digital Forensics]
 +
* [http://forensiccontrol.com/resources/free-software/ Free computer forensic tools]
 +
* [http://code.google.com/p/libyal/ Yet another library library (and tools)]
 +
 
 +
= Challenges (and test images) =
 +
* [http://www.dc3.mil/challenge/ DC3 Challenges]
 +
* [http://testimages.wordpress.com/ Digital Forensics Test Images]
 +
* [http://www.forensicfocus.com/images-and-challenges Forensic Focus - Test Images and Forensic Challenges]
 +
* [https://www.honeynet.org/challenges/ Honeynet Project Challenges]
 +
* [http://testimages.wordpress.com/ Digital Forensic Test Images]
 +
* [http://secondlookforensics.com/linux-memory-images/ Second Look - Linux Memory Images]
 +
* [http://sourceforge.net/projects/nullconctf2014/ NullconCTF2014]
 +
 
 +
= Conferences =
 +
See: [[:Category:Conferences|Conferences]]
 +
 
 +
[[Category:Further information]]

Revision as of 01:52, 29 January 2014

Computer forensics related resources like: blogs, fora, tweets, tools and challenges (and test images).

Blogs

English

Windows

Dutch

French

German

Spanish

Russian

Related blogs

Circles/Fora/Groups

Tweets

Tools

Challenges (and test images)

Conferences

See: Conferences