±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32774
New Yesterday: 3 Visitors: 222

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Open Source Windows Link File Examiner (Shortcuts)

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 12:44 pm

A little open-source program I have been working on recently:

paul-tew.github.io/lifer/

Parses one or more Windows link files or a whole directory full of them. Output is either plain old text or can be in tab/comma separated values suitable for importing into a spreadsheet for comparative analysis.

In the future I intend to include the ability to parse jumplists too.
_________________
Paul Tew

Retired Forensic Analyst and Researcher 

binarybod
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 2:24 pm

Interesting. Smile

Any chance of an actual compiled version? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 4:03 pm

- jaclaz
Interesting. Smile
jaclaz

Thank you.

- jaclaz
Any chance of an actual compiled version? Question
jaclaz

Not really I'm afraid, it's not something I want to do at the moment.

Installation is quite simple and I've explained it step-by-step in the INSTALLATION text file.

The development of this tool is quite dynamic at the moment and the last thing I want to do is maintain different executables; especially bearing in mind that it will compile on x86, x64 architectures and on Windows and Linux OS's too (Not sure if it will compile on a MAC but it should do). Potentially five or six different executables when I'm changing the code base on an almost daily basis sometimes.

Sorry to disappoint...

N.B. I suppose if there is enough interest then I may upload a Windows x64 version to this site but it would go out of date pretty quickly and there are no guarantees that it won't be filled with bugs Wink
_________________
Paul Tew

Retired Forensic Analyst and Researcher 

binarybod
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 4:49 pm

Hello Paul, thanks for your post for your new Windows Link File Examiner. I hadn't seen your post for a while at FF until recently. Good to see experienced hands are still around. How are things going for you in research? All the best Greg
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 5:01 pm

- binarybod

Not really I'm afraid, it's not something I want to do at the moment.
...

Sorry to disappoint...


No problem Smile , those really interested running Linux will have no problems, those really interested running Windows will surely be more than happy to go through the pains of setting up a compiling environment just for your tool.

But come on, do you really believe that anyone actually will? Confused

Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

The target user right now (among the Windows users) is that of a programmer with interest in forensics, your program will surely be a hit among them (ALL three of them Wink ).

Maybe when you will have had some more time for testing and refining the tool and will have been able to test and release a compiled version guaranteeing that at the very least will run without crashes in a supported OS, then IMHO you will be able to get some feedback by the rest of the world. Rolling Eyes

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 5:09 pm

I don't think that most folks are really seeing the value of tools/efforts such as this, largely due to the varied nature of the work performed in the DFIR field.

For example: windowsir.blogspot.com...dates.html

Earlier this spring, I became aware of a spam campaign our researchers were following, and saw that the adversary was sending LNK files to their target victims. Like many other file formats on Windows systems, LNK files contain metadata, which in most cases (i.e., malware installation/persistence) isn't terribly interesting. However, in this case, the LNK file was being created on the adversary's system, and sent to the victim, meaning that the LNK file contains metadata specific to the adversary's development environment.

Unfortunately, not enough resources are directed to this aspect of campaign tracking and analysis.

Extending the discussion of metadata to other document formats, consider this:

www.secureworks.com/re...of-mia-ash

I assisted the analyst who developed this research with a very small aspect of the analysis. The researcher had obtained a copy of the Excel spreadsheet sent to one of the victims (contained a questionnaire) and I parsed the metadata from it, which indicated that the version of MS Office was registered to "Mia Ash". This really illustrates the extent to which these operations have been developed...to the point where the communications with the victim includes so much foresight as to ensure that even the smallest document metadata appears legitimate.  

keydet89
Senior Member
 
 
  

Re: Open Source Windows Link File Examiner (Shortcuts)

Post Posted: Wed Aug 16, 2017 6:06 pm

- jaclaz


Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

jaclaz


Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque Wink
Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience...
_________________
Paul Tew

Retired Forensic Analyst and Researcher 

binarybod
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next