Hi All,
I'm currently writing a tool for the parsing of common Windows artefacts and I would like to share it with the forensic community. This tool is called the Simple File Parser (SFP) and it currently supports the parsing of link and prefetch files and allows the user to easily export the information to CSV format for a more detailed analysis.
To take a look at the program or to download it yourself, please visit the tool's page https://
I will take on-board any comments, or if you find any bugs please let me know.
Chris.
Version 1.3 has been released and has initial support for Windows 7 jump-lists.
Thanks for this great tool.
Thierry
Thanks Thierry, I have plans to improve the jump-list support and to make it multi-threaded for performance (once I've worked out how to thread in C# that is!).
Version 1.4 has now been released with more robust support for jump-list artefacts, improved GUI and speed, multithreaded goodness and multiple time-zone support. Download at
As ever, please let me have your comments and suggestions for future releases.
Version 1.5 now has support for the parsing of INDX Attributes ($I30 files).
Let me know if you have any issues.
Does the LNK parser support parsing the shell item ID lists?
Hi Harlan,
It does not support them at the moment, but if there is an interest I can try to code a solution. The tool does know where they exist, so it shouldn't be too difficult (famous last words!).
In order to give something back to the forensic community, all of the code is now available on Google Code. Feel free to download, distribute and copy. I will keep all updated versions of SFP on Google Code from now on. If anyone would like to contribute to the project please let me know (first job is to optimise the code!)
http//
nice to see another .net developer writing tools! Is the source code in the .exe file at the link you provided? all i see is the exe.
also, i noticed in the status bar it says
take taken 0.33
when i am guessing it should be
time taken 0.33
the prefetch parsing had some issues on win8 as well.
i would recommend against using a msgbox for each error as the end user will need to click ok possibly dozens of times. an area for status messages (like a listbox) would be better for that
id like to take a look at your code. seems like some good stuff based on the lnk results. have you compared your results with those generated by shellify? thats what i have been using for a while for lnk files