A forensic tool for Windows link file examinations (i.e. Windows shortcuts)
SYNOPSIS
'lifer' is a Windows or *nix command-line tool inspired by the whitepaper 'The Meaning of Link Files in Forensic Examinations' by Harry Parsonage and available here. It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it's usefulness and publish it so that others can benefit.
The information extracted is in accordance with the Microsoft Open Specification Document 'MS-SHLLNK' which can be found online here. At the time of writing most parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
- Relevant output from IDList containers (which need reverse engineering - see 'IDLIST.txt')
- Recognition of, and parsing of link file data within jump list (OLE) containers.