Link Parser

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

Parse Microsoft Shell Link (.lnk) Files

Whatever you decide to call them, Link Files, Shortcut Files, or Shell Link Items, they are valuable forensic artifacts. In addition the the filesystem MAC times, the internal structure of the link file can reveal huge amounts of data about the target file such as volume names, serial numbers, target MAC dates, and file path information.

Features

• Parses a single item, multiple selected items, or recursively over a folder or mounted forensic image
• Multi-Select individual files
• Exports to CSV for easy analysis
• GUI supports Date/Time sorting
• Over 30 attributes extracted
• Free for both personal and commercial use

v1.3 (05-24-2013)

• Application now digitally signed
• Application will automatically check for updates
• Application now has global exception handling
• Minor bug fixes and UI changes

References:

• The Meaning of Link Files in Forensic Examinations
• Microsoft Shell Link Binary File Format [MS-SHLLINK]
• Windows Shell Item Format Specification
• Windows Shortcut File (LNK) Format