A little open-source program I have been working on recently
https://
Parses one or more Windows link files or a whole directory full of them. Output is either plain old text or can be in tab/comma separated values suitable for importing into a spreadsheet for comparative analysis.
In the future I intend to include the ability to parse jumplists too.
Interesting. )
Any chance of an actual compiled version? ?
jaclaz
Interesting. )
jaclaz
Thank you.
Any chance of an actual compiled version? ?
jaclaz
Not really I'm afraid, it's not something I want to do at the moment.
Installation is quite simple and I've explained it step-by-step in the INSTALLATION text file.
The development of this tool is quite dynamic at the moment and the last thing I want to do is maintain different executables; especially bearing in mind that it will compile on x86, x64 architectures and on Windows and Linux OS's too (Not sure if it will compile on a MAC but it should do). Potentially five or six different executables when I'm changing the code base on an almost daily basis sometimes.
Sorry to disappoint…
N.B. I suppose if there is enough interest then I may upload a Windows x64 version to this site but it would go out of date pretty quickly and there are no guarantees that it won't be filled with bugs 😉
Hello Paul, thanks for your post for your new Windows Link File Examiner. I hadn't seen your post for a while at FF until recently. Good to see experienced hands are still around. How are things going for you in research? All the best Greg
Not really I'm afraid, it's not something I want to do at the moment.
…Sorry to disappoint…
No problem ) , those really interested running Linux will have no problems, those really interested running Windows will surely be more than happy to go through the pains of setting up a compiling environment just for your tool.
But come on, do you really believe that anyone actually will? ?
Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.
The target user right now (among the Windows users) is that of a programmer with interest in forensics, your program will surely be a hit among them (ALL three of them wink ).
Maybe when you will have had some more time for testing and refining the tool and will have been able to test and release a compiled version guaranteeing that at the very least will run without crashes in a supported OS, then IMHO you will be able to get some feedback by the rest of the world. roll
jaclaz
I don't think that most folks are really seeing the value of tools/efforts such as this, largely due to the varied nature of the work performed in the DFIR field.
For example http//
Earlier this spring, I became aware of a spam campaign our researchers were following, and saw that the adversary was sending LNK files to their target victims. Like many other file formats on Windows systems, LNK files contain metadata, which in most cases (i.e., malware installation/persistence) isn't terribly interesting. However, in this case, the LNK file was being created on the adversary's system, and sent to the victim, meaning that the LNK file contains metadata specific to the adversary's development environment.
Unfortunately, not enough resources are directed to this aspect of campaign tracking and analysis.
Extending the discussion of metadata to other document formats, consider this
https://
I assisted the analyst who developed this research with a very small aspect of the analysis. The researcher had obtained a copy of the Excel spreadsheet sent to one of the victims (contained a questionnaire) and I parsed the metadata from it, which indicated that the version of MS Office was registered to "Mia Ash". This really illustrates the extent to which these operations have been developed…to the point where the communications with the victim includes so much foresight as to ensure that even the smallest document metadata appears legitimate.
Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.
jaclaz
Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink
Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…
Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink
Sure, we definitely agree on this. )
Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…
The difference of views is only on the estimation of their number, I am happy that you are more optimistic than I am.
jaclaz
Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink
I'm sorry, but while I fully support and congratulate you for your efforts, I must respectfully disagree. I know and have worked some really good forensic analysts, some of the best that there will ever be, and they don't code, let alone compile tools.
Joachim Metz has a tool 'libnk2-devel-20170605-1.fc26.i686'
available at forensic.cert.org has libraries and tools to access link files.