After having a case where I needed to deal with a few thousand link files I have written a new tool to examine them and need some feedback from beta testers.
The software at the moment does the following
• Loads multiple (tested on 40,000+) link files into a grid
• Displays
o Internal dates
o Path
o Relative path
o Share name
o Vol name and Serial Number
o Decodes and displays ObjID’s if present including dates and MAC addresses
o Working Dir and Command line
• Allows you to sort and filter by column
• Carve from disk/volume/file or encase image
• Export to HTML/CSV/XML/XLS
• Tag files and Create a HTML report
If you do not know about ObjID’s in short they are a unique number created to help Microsoft track files. The interesting bit is that to try and guarantee uniqueness they (usually) use the MAC address from the network card along with the date and time (and some other bits of data) to form the ObjID. They can have the MAC address of both the current card AND the original (birth) machine that the file was created on. More information in Harry Parsonages white paper http//
If you have the time to beta test this software AND provide feedback then please email me at the address below
How does the Tool with LNKs that point to chinese named files?
How does the Tool with LNKs that point to chinese named files?
At the moment it doesn't although I am working on it.
How does the Tool with LNKs that point to chinese named files?
42 produces a phenomenal Link File parser in their "Power Pack" suite. I've used it; it works with foreign languages/UNICODE flawlessly. Even picks up HotKeys. They have a free trial at the moment (link to the software's in the bottom-right of the webpage).
http//
Hi sandy771,
I have a quick question for you or any one who might know. I'm studying computer forensics at Northumbria University and we had some one from the police forensics come in and talk about a file type which I have forgotton what it was called.
The file (on Windows) is where you open for example media files or images and it records
when the file was opened
how many times
where the file is located
if on a removable media it records the info of the drive (bit like a link file)
It's not prefetch I'm thinking of. If any one knows please let me know as it would be a great help as over the summer I plan to write a program to open the files and format the info as the police officer said there is only one program he knows of that does this. Sorry if I have not made sense and thanks in advance.
James
James,
Some of what you're asking about is "recorded" in Registry hive files…is that what you're asking about?
It may be, I will do some fishing around but yea that sounds like I have heard it before. Wow I didn't think I would get such a quick reply, thanks! Once I know for certain I will post to let you know. I have to do a few jobs first.
Thanks again!
UserAssist?
UserAssist? aka Registry entries in Rot13?
Thanks for all the offers to assist with beta testing. LinkAlyzer has now been released so no more please )
Cheers
Paul
demo available at
http//