LNK files and JMP lists
LNK Files and Jump Lists
LNK Files
Header of- 0x4C – which can be used to search for LNK files
A meta data file
Every time you create a short cut a LNK file is made. This can also happen when a file is opened.
What do they contain?
Original path
Time stamps for both the target and link File (MACB)
Size
Attributes such as read-only
System, volume names, volume serial number
Sometimes MAC address
Indication of local or remote computer
Creation date- usually indicative of file first being opened
Modification- indicative of last opened.
Why is that useful?
Example;
A computer forensics team have completed a search of the suspects house:
They have a computer and a USB stick. The defendant claims that the USB stick is
not theirs and has never been plugged in, it contains numerous suspicious files.
These files may have metadata in LNK files on the computer.
not theirs and has never been plugged in, it contains numerous suspicious files.
These files may have metadata in LNK files on the computer.
These LNK files may show that the file was accessed through a USB with the serial number of the one
in question. This, along with evidence the USB stick being connected would certainly aid in showing
the defendant knowingly had these files on their system. Creation and modification dates may further
aid this.
in question. This, along with evidence the USB stick being connected would certainly aid in showing
the defendant knowingly had these files on their system. Creation and modification dates may further
aid this.
Jump Lists
Jump lists contain information regarding recently application files. There are two types:
Automatic destinations
.AutomaticDestinations-ms = default
Object Linking and Embedding (OLE) + Compound Files
Allows multiple data streams in a single file
Known as compound binary
Each stream is its own LNK file
Essentially, it's a directory for multiple LNK files belonging to one application.
Custom Destination
.CustomDestinations-ms = depends on program
Created when program pinned to taskbar
Do not contain streams
LNK files stored sequentially
Where to find LNK Files?
C:\Users\*USER\AppData\Roaming\Microsoft\Windows
Note; extension is included in Windows 10 so top would be 15th October.DOCx.LNK
Can also check: C:\Users\George\AppData\Roaming\Microsoft\Office\Recent
Where to find Jump lists?
C:\Users\George\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\George\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Analysis of LNK files:
In the terminal, I selected a LNK file and used the bash command: File to see more information
Here, we can see that it is a MS Windows shortcut, as well as the time
But, I was previously in bash, so to just run it from bash we can do:
/mnt/c/Windows/exiftool.exe *file
/mnt/c/Windows/exiftool.exe *file
The second set of dates are the actual file, whereas the first ones are the link file.
Note how the local base path is D:\ - That’s because the file resides on a USB.
So, copying that to the desktop, opening the file and then analysing the desktop file:
Note the target file, which is now on the computer has changed its location etc- due to now residing
on the PC but shares the same modification date as the USB one, as it has been directly copied but
not changed.
on the PC but shares the same modification date as the USB one, as it has been directly copied but
not changed.
JUMP files analysis:
Using File, we get some information
Composite Document File V2 = another word for OLECF
For Custom, it just says Data
Analysis with LECmd.exe- a tool by Zimmerman
After typing in LECmd.exe – d c:\Users\George\AppData\Roaming\Microsoft\Windows\Recent -q --csv .\
So, using LECmd.exe I typed -d to specify a directory, then give the path to the directory, request it to
be quiet mode (-q) and output it to a csv (--csv) in the current working directory (.\)
be quiet mode (-q) and output it to a csv (--csv) in the current working directory (.\)
Note the volume serial number of the highlighted file (rhinocomp.lnk)
This is indeed the volume of my C drive
Scrolling further along, the volume name, mac address, machine name and various other attributes
were collected.
were collected.
JUMP lists
Each app has an app id in the Jump list file
If we take a Jump list, and load it in to Zimmermans Explorer tool, we see the following
Looks confusing right?
This is in fact, the list of all the recently accessed application files belonging to Excel
At the top is the AutomaticDestinations.CSV- which is the output I got from the command line-based
Zimmerman tool.
Zimmerman tool.
This involved the following command: JLECmd.exe -f C:\Users\George\AppData\Roaming\Microsoft\
Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms -q --csv .\
Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms -q --csv .\
Note the ID- B8ab77100df80ab2, which according to Forensic Wiki, is the app id for Microsoft Excel x64.
How can this get interesting?
Well, if we have an individual suspected of having multiple counts of illegal images, then viewing their
Jump lists for applications such as Windows photo view may show recently accessed photos and their
locations. Names alone may indicate the content. The target path will also be available; meaning that
suspicious images may lead to the location of further evidence.
Jump lists for applications such as Windows photo view may show recently accessed photos and their
locations. Names alone may indicate the content. The target path will also be available; meaning that
suspicious images may lead to the location of further evidence.
Comments
Post a Comment