D:\ drive LNK file ...
 
Notifications
Clear all

D:\ drive LNK file artifact question  

Kossuth
(@kossuth)
New Member

I'm conducting a forensic examination on a laptop with a focus on data ex filtration. One method that I typically use to discover files accessed from external drives is to search for LNK files with a D or E drive path. I've identified a number of files accessed from the D\ drive with the following file path

Windows\Users\XXXXXXXX\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Interestingly, the only timestamps available are "Target File" timestamps associated with documents. There are no file system timestamps listed. Also, when reviewing USB connection history there is nothing correlating the LNK file artifacts that I've identified with actual USB storage drive connections to the computer. I feel that the LNK files were imported to the computer from somewhere else, but I don't know enough about how the computer processes these files to understand. Can anyone help me out?

Thank you

Quote
Topic starter Posted : 01/05/2020 3:08 pm
Rich2005
(@rich2005)
Senior Member
Em-Belkasoft
(@em-belkasoft)
Junior Member

Your understanding of LNK files might be wrong or you are viewing them the wrong way.

You can read Belkasoft's article on LNK files.

ReplyQuote
Posted : 07/05/2020 8:55 pm
mcman
(@mcman)
Active Member

Automaticdestinations locations are for jumplists and you're likely looking at a jumplist shortcut entry (which are basically LNK files). Do some digging for jumplists and you should be able to find what you need. You'll probably want to correlate the dest list entries as well to get a better idea of what is going on. Rich's link is an excellent place to start.

Also, there's no guarantee that you'll get correlating USB activity to go with a LNK file associated to a D volume. What if D isn't USB mass storage device, or USB device at all. You can't just make that assumption based the information you've provided here. Volume letter assignment is dynamic and not specific to external USB devices.

Jamie

ReplyQuote
Posted : 08/05/2020 2:09 pm
Kossuth
(@kossuth)
New Member

@mcman

Thanks for the reply. I'll admit I don't fully understand this. I'm working on company issued machines that are all set up the same and restricted by our IT Dept. I've found that when I find D, E, F... volumes, they are likely an external drive, but understand that this won't always be the case.

I accepted employment at a private company and was tasked with digital forensic duties. I have a law enforcement background, not computer science so it is taking me some time to learn the back end of all this. I've taken training from Magnet Forensics and have learned to use their Axiom product well. I guess you could say I'm practicing push button forensics and trying to learn computer fundamentals as I go. Thanks for taking the time to reply.  

ReplyQuote
Topic starter Posted : 22/05/2020 2:53 pm
keydet89
(@keydet89)
Community Legend
Posted by: @jamesvogel

I'm conducting a forensic examination on a laptop with a focus on data ex filtration. One method that I typically use to discover files accessed from external drives is to search for LNK files with a D or E drive path. I've identified a number of files accessed from the D\ drive with the following file path

Windows\Users\XXXXXXXX\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Interestingly, the only timestamps available are "Target File" timestamps associated with documents. There are no file system timestamps listed. Also, when reviewing USB connection history there is nothing correlating the LNK file artifacts that I've identified with actual USB storage drive connections to the computer. I feel that the LNK files were imported to the computer from somewhere else, but I don't know enough about how the computer processes these files to understand. Can anyone help me out?

Thank you

What does "there are no file system timestamps listed" mean?

What is this "USB connection history" you refer to?

Automatic JumpLists are created by user interaction with applications via the shell (i.e., Windows Explorer).  As has already been described, Automatic JumpLists are OLE/Structured Storage documents, with all streams (except the DestList stream) consisting of LNK-formatted content.  As such, there are a LOT of timestamps available.

I'm not at all clear as to what you're doing to assess USB device connections on the system, but that may be where the issue lies.  

Also, keep in mind that data _access_ does not necessarily mean data _exfiltration_.

ReplyQuote
Posted : 01/06/2020 6:10 pm
Kossuth
(@kossuth)
New Member

@keydet89

First, sorry if I'm not using the correct technical terms, as I said I'm fairly new at this. 

As for the time stamps. The way I understand it; there are timestamps stored within the metadata of a file, relative to the file no matter which machine it's accessed on, called target file timestamps.  There are also additional timestamps of the file relative to the machine, file system timestamps. I have a loose understanding of it, so let me know if I'm wrong.

My reference to USB connection history may be vendor specific. I'm working with Magnet Axiom. Under the Operating System ->USB Devices Artifact category; I'm identifying any storage drives. From their reference material, the source locations for the data are as follows:

SYSTEM/CurrentControlSet/Enum/USBSTOR

SYSTEM/MountedDevices

NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2

SYSTEM/CurrentControlSet/Enum/USB

ROOT/Windows/Setupapi.log

ROOT/Windows/inf/setupapi.dev.log 

I do understand that a file may be accessed, but not copied or transferred. However, it seems that any files accessed from an external drive are worth reviewing. 

Thanks 

ReplyQuote
Topic starter Posted : 01/06/2020 6:58 pm
keydet89
(@keydet89)
Community Legend

As far as how you're looking for connected device information, there are short comings in the process Axiom uses; it's not up-to-date, nor sufficient.

HKLM\Software\Microsoft\Windows Search\VolumeInfoCache

HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt

HKLM\Software\Microsoft\Windows Portable Devices\Devices

Sometimes, where the information is stored in the Registry depends upon the type of device; just because the device connects via a USB connector doesn't mean that it was a "USB" device.  For example, some devices, such as digital cameras, will show up under:

HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM

You might also want to check Windows Event Logs:

https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/

Also, consider checking the Microsoft-Windows-Partition%4Diagnostic.evtx Event Log, as well.

 

HTH

ReplyQuote
Posted : 01/06/2020 7:31 pm
Cults14
(@cults14)
Active Member

@jamesvogel I'm with you on this one.  I'm an internal corporate resource and most of what I'm asked to do is find out if someone took any IP with them when they left.  All machines are corportate issue, very few outliers from the standard build, engineering workstations in my experience here.

Acquisition and documentation done, I almost always start the PC side of the investigation out looking at LNK and Jumplist artefacts, I basically ignore anything that starts with C: and take an interest in everything else.  Volume labels and IDs can be helpful (less so with SSDs as EMDMGMT wont be populated), USB analysis follows and probably then looking at timelines to see what drives could qualify as being accessed.

I appreciate that access is not the same as exfiltration, but if someone accessed business files on an external device (means the files existed on the exteral device at some stage) and they didn't hand the device in when they left, well that's potentially data that left the business (unauthorised access).  Context can help, e.g. no external file access for 3 months then a lot in the 24 hours prior to termination does raise my eyebrows.

If you can get the device returned that can help, but in 10 years here we've only ever got one back.

Hope that helps?

ReplyQuote
Posted : 13/07/2020 12:19 pm
keydet89
(@keydet89)
Community Legend
Posted by: @jamesvogel

I'm conducting a forensic examination on a laptop with a focus on data ex filtration. One method that I typically use to discover files accessed from external drives is to search for LNK files with a D or E drive path. I've identified a number of files accessed from the D\ drive with the following file path

Windows\Users\XXXXXXXX\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Interestingly, the only timestamps available are "Target File" timestamps associated with documents. There are no file system timestamps listed. Also, when reviewing USB connection history there is nothing correlating the LNK file artifacts that I've identified with actual USB storage drive connections to the computer. I feel that the LNK files were imported to the computer from somewhere else, but I don't know enough about how the computer processes these files to understand. Can anyone help me out?

Thank you

A couple of questions...

If the focus is data exfil, why is the sole focus of the topic data access?  

Could it be possible that the reason the "only timestamps available" is due to the tool being used?

To help focus your analysis, knowing the version of Windows you're working with, as well as some of the applications, would be helpful.  Please feel to reach out if there's something I can do to help.

 

 

ReplyQuote
Posted : 14/07/2020 3:37 pm
Share: