analyzing-windows-lnk-files-for-artifacts

Featured

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.

Data & Documents 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows LNK Files for Artifacts ## When to Use - When reconstructing user file access history from Windows shortcut files - For tracking accessed files, network shares, and removable media - During investigations to prove a user opened specific documents - When correlating file access with other timeline artifacts - For identifying accessed paths on remote systems or USB devices ## Prerequisites - Access to LNK files from forensic image (Recent, Desktop, Quick Launch) - LECmd (Eric Zimmerman), python-lnk, or LnkParser for analysis - Understanding of LNK file structure (Shell Link Binary format) - Knowledge of LNK file locations on Windows systems - Forensic workstation with analysis tools installed ## Workflow ### Step 1: Collect LNK Files from Forensic Image ```bash # Mount forensic image mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence mkdir -p /cases/case-2024-001/lnk/{recent,desktop,startup,custom} # Copy Recent items LNK files (primary source) cp /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/*.lnk \ /cases/case-2024-001/lnk/recent/ 2>/dev/null # Copy automatic destinations (Jump Lists) cp /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/*.automaticDestinations-ms \ /cases/case-2024-001/lnk/recent/ 2>/dev/null # Copy custom destinations (pinned Jump List items) cp /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/*.cust...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-lnk-file-and-jump-list-artifacts

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-slack-space-and-file-system-artifacts

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.

12,642 Updated today
mukul975
AI & Automation Featured

performing-log-analysis-for-forensic-investigation

Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-registry-for-artifacts

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.

12,642 Updated today
mukul975