Open Source Windows...
 
Notifications
Clear all

Open Source Windows Link File Examiner (Shortcuts)

binarybod
(@binarybod)
Active Member

A little open-source program I have been working on recently

https://paul-tew.github.io/lifer/

Parses one or more Windows link files or a whole directory full of them. Output is either plain old text or can be in tab/comma separated values suitable for importing into a spreadsheet for comparative analysis.

In the future I intend to include the ability to parse jumplists too.

Quote
Topic starter Posted : 16/08/2017 7:44 pm
jaclaz
(@jaclaz)
Community Legend

Interesting. )

Any chance of an actual compiled version? ?

jaclaz

ReplyQuote
Posted : 16/08/2017 9:24 pm
binarybod
(@binarybod)
Active Member

Interesting. )
jaclaz

Thank you.

Any chance of an actual compiled version? ?
jaclaz

Not really I'm afraid, it's not something I want to do at the moment.

Installation is quite simple and I've explained it step-by-step in the INSTALLATION text file.

The development of this tool is quite dynamic at the moment and the last thing I want to do is maintain different executables; especially bearing in mind that it will compile on x86, x64 architectures and on Windows and Linux OS's too (Not sure if it will compile on a MAC but it should do). Potentially five or six different executables when I'm changing the code base on an almost daily basis sometimes.

Sorry to disappoint…

N.B. I suppose if there is enough interest then I may upload a Windows x64 version to this site but it would go out of date pretty quickly and there are no guarantees that it won't be filled with bugs 😉

ReplyQuote
Topic starter Posted : 16/08/2017 11:03 pm
trewmte
(@trewmte)
Community Legend

Hello Paul, thanks for your post for your new Windows Link File Examiner. I hadn't seen your post for a while at FF until recently. Good to see experienced hands are still around. How are things going for you in research? All the best Greg

ReplyQuote
Posted : 16/08/2017 11:49 pm
jaclaz
(@jaclaz)
Community Legend

Not really I'm afraid, it's not something I want to do at the moment.

Sorry to disappoint…

No problem ) , those really interested running Linux will have no problems, those really interested running Windows will surely be more than happy to go through the pains of setting up a compiling environment just for your tool.

But come on, do you really believe that anyone actually will? ?

Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

The target user right now (among the Windows users) is that of a programmer with interest in forensics, your program will surely be a hit among them (ALL three of them wink ).

Maybe when you will have had some more time for testing and refining the tool and will have been able to test and release a compiled version guaranteeing that at the very least will run without crashes in a supported OS, then IMHO you will be able to get some feedback by the rest of the world. roll

jaclaz

ReplyQuote
Posted : 17/08/2017 12:01 am
keydet89
(@keydet89)
Community Legend

I don't think that most folks are really seeing the value of tools/efforts such as this, largely due to the varied nature of the work performed in the DFIR field.

For example http//windowsir.blogspot.com/2017/03/links-updates.html

Earlier this spring, I became aware of a spam campaign our researchers were following, and saw that the adversary was sending LNK files to their target victims. Like many other file formats on Windows systems, LNK files contain metadata, which in most cases (i.e., malware installation/persistence) isn't terribly interesting. However, in this case, the LNK file was being created on the adversary's system, and sent to the victim, meaning that the LNK file contains metadata specific to the adversary's development environment.

Unfortunately, not enough resources are directed to this aspect of campaign tracking and analysis.

Extending the discussion of metadata to other document formats, consider this

https://www.secureworks.com/research/the-curious-case-of-mia-ash

I assisted the analyst who developed this research with a very small aspect of the analysis. The researcher had obtained a copy of the Excel spreadsheet sent to one of the victims (contained a questionnaire) and I parsed the metadata from it, which indicated that the version of MS Office was registered to "Mia Ash". This really illustrates the extent to which these operations have been developed…to the point where the communications with the victim includes so much foresight as to ensure that even the smallest document metadata appears legitimate.

ReplyQuote
Posted : 17/08/2017 12:09 am
binarybod
(@binarybod)
Active Member

Call me a hairy reasoner as much as you want, but blindly compiling something that has not been compiled by the Author (and subsequently tested on the specific OS) is not something that many people will do (in my little experience), either for lack of knowledge or for lack of time/will.

jaclaz

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink
Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…

ReplyQuote
Topic starter Posted : 17/08/2017 1:06 am
jaclaz
(@jaclaz)
Community Legend

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink

Sure, we definitely agree on this. )

Those who really want to use the tool to aid their investigations (and perhaps avoid paying for some of the alternatives), they are my target audience…

The difference of views is only on the estimation of their number, I am happy that you are more optimistic than I am.

jaclaz

ReplyQuote
Posted : 17/08/2017 11:41 pm
keydet89
(@keydet89)
Community Legend

Well in my experience, any forensic analyst who can't compile an open source tool isn't worth their paycheque wink

I'm sorry, but while I fully support and congratulate you for your efforts, I must respectfully disagree. I know and have worked some really good forensic analysts, some of the best that there will ever be, and they don't code, let alone compile tools.

ReplyQuote
Posted : 18/08/2017 4:11 am
slippery
(@slippery)
New Member

Joachim Metz has a tool 'libnk2-devel-20170605-1.fc26.i686'

available at forensic.cert.org has libraries and tools to access link files.

ReplyQuote
Posted : 31/08/2017 4:47 pm
binarybod
(@binarybod)
Active Member

[quote="keydet89]and they don't code, let alone compile tools.[/quote]

Compiling and installing a tool does NOT require coding experience. Often, with open source tools all you need to do is follow the instructions in any installation text documentation usually found in the repository.

Often this is as simple as following a recipe.

Regards,

ReplyQuote
Topic starter Posted : 13/09/2017 3:44 pm
binarybod
(@binarybod)
Active Member

Joachim Metz has a tool 'libnk2-devel-20170605-1.fc26.i686'

available at forensic.cert.org has libraries and tools to access link files.

I've never used this tool but the documentation suggests it is for examining nickfile (NK2) objects and NOT Windows Link Files (a.k.a. 'shortcuts')

Regards,

ReplyQuote
Topic starter Posted : 13/09/2017 3:48 pm
binarybod
(@binarybod)
Active Member

Bowing to peer pressure wink I've produced some binaries
https://github.com/Paul-Tew/lifer/releases
My suggestion would be to download the required one and just rename it to 'lifer' to avoid any unnecessary typing on the command-line.

ReplyQuote
Topic starter Posted : 13/09/2017 3:52 pm
Share: