analyzing-lnk-file-and-jump-list-artifacts

Featured

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing LNK File and Jump List Artifacts ## Overview Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times. ## When to Use - When investigating security incidents that require analyzing lnk file and jump list artifacts - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - LECmd (Eric Zimmerman) for LNK file parsing - JLECmd (Eric Zimmerman) for Jump List parsing - Python 3.8+ with pylnk3 or LnkParse3 libraries - Forensic image or triage collection from Windows system - Timeline Explorer for CSV analysis ## LNK File Locations | Location | Description | |----------|-------------| | `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\` | Recen...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

Data & Documents Featured

analyzing-windows-lnk-files-for-artifacts

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-lolbins-execution-in-endpoint-logs

Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-slack-space-and-file-system-artifacts

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-shellbag-artifacts

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-amcache-artifacts

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

12,642 Updated today
mukul975