Open Source Windows...
 
Notifications
Clear all

Open Source Windows Link File Examiner (Shortcuts)

13 Posts
5 Users
0 Likes
1,146 Views
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

A little open-source program I have been working on recently

https://paul-tew.github.io/lifer/

Parses one or more Windows link files or a whole directory full of them. Output is either plain old text or can be in tab/comma separated values suitable for importing into a spreadsheet for comparative analysis.

In the future I intend to include the ability to parse jumplists too.

 
Posted : 16/08/2017 6:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Interesting. )

Any chance of an actual compiled version? ?

jaclaz

 
Posted : 16/08/2017 8:24 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

Interesting. )
jaclaz

Thank you.

Any chance of an actual compiled version? ?
jaclaz

Not really I'm afraid, it's not something I want to do at the moment.

Installation is quite simple and I've explained it step-by-step in the INSTALLATION text file.

The development of this tool is quite dynamic at the moment and the last thing I want to do is maintain different executables; especially bearing in mind that it will compile on x86, x64 architectures and on Windows and Linux OS's too (Not sure if it will compile on a MAC but it should do). Potentially five or six different executables when I'm changing the code base on an almost daily basis sometimes.

Sorry to disappoint…

N.B. I suppose if there is enough interest then I may upload a Windows x64 version to this site but it would go out of date pretty quickly and there are no guarantees that it won't be filled with bugs 😉

 
Posted : 16/08/2017 10:03 pm
(@trewmte)
Posts: 1877
Noble Member
 

Hello Paul, thanks for your post for your new Windows Link File Examiner. I hadn't seen your post for a while at FF until recently. Good to see experienced hands are still around. How are things going for you in research? All the best Greg

 
Posted : 16/08/2017 10:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not really I'm afraid, it's not something I want to do at the moment.

Sorry to disappoint…

No problem ) , those really interested running Linux will have no problems, those really interested running Windows will surely be more than happy to go through the pains of setting up a compiling environment just for your tool.

But come on, do you really believe that anyone actually will? ?

Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

The target user right now (among the Windows users) is that of a programmer with interest in forensics, your program will surely be a hit among them (ALL three of them wink ).

Maybe when you will have had some more time for testing and refining the tool and will have been able to test and release a compiled version guaranteeing that at the very least will run without crashes in a supported OS, then IMHO you will be able to get some feedback by the rest of the world. roll

jaclaz

 
Posted : 16/08/2017 11:01 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I don't think that most folks are really seeing the value of tools/efforts such as this, largely due to the varied nature of the work performed in the DFIR field.

For example http//windowsir.blogspot.com/2017/03/links-updates.html

Earlier this spring, I became aware of a spam campaign our researchers were following, and saw that the adversary was sending LNK files to their target victims. Like many other file formats on Windows systems, LNK files contain metadata, which in most cases (i.e., malware installation/persistence) isn't terribly interesting. However, in this case, the LNK file was being created on the adversary's system, and sent to the victim, meaning that the LNK file contains metadata specific to the adversary's development environment.

Unfortunately, not enough resources are directed to this aspect of campaign tracking and analysis.

Extending the discussion of metadata to other document formats, consider this

https://www.secureworks.com/research/the-curious-case-of-mia-ash

I assisted the analyst who developed this research with a very small aspect of the analysis. The researcher had obtained a copy of the Excel spreadsheet sent to one of the victims (contained a questionnaire) and I parsed the metadata from it, which indicated that the version of MS Office was registered to "Mia Ash". This really illustrates the extent to which these operations have been developed…to the point where the communications with the victim includes so much foresight as to ensure that even the smallest document metadata appears legitimate.

 
Posted : 16/08/2017 11:09 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

jaclaz

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink
Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…

 
Posted : 17/08/2017 12:06 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink

Sure, we definitely agree on this. )

Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…

The difference of views is only on the estimation of their number, I am happy that you are more optimistic than I am.

jaclaz

 
Posted : 17/08/2017 10:41 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink

I'm sorry, but while I fully support and congratulate you for your efforts, I must respectfully disagree. I know and have worked some really good forensic analysts, some of the best that there will ever be, and they don't code, let alone compile tools.

 
Posted : 18/08/2017 3:11 am
(@slippery)
Posts: 4
New Member
 

Joachim Metz has a tool 'libnk2-devel-20170605-1.fc26.i686'

available at forensic.cert.org has libraries and tools to access link files.

 
Posted : 31/08/2017 3:47 pm
Page 1 / 2
Share: