LNK Files and Jump Lists

preview_player
Показать описание
As a continuation of the "Introduction to Windows Forensics" series, this video introduces the ubiquitous LNK, or "link", file, as well as a lesser known Windows feature called Jump Lists.

Both of these artifacts provide us with numerous items of forensic interest. We'll first take a look at the basic information you need to know in order to parse these artifacts. Then, we'll take a look inside an LNK file, and use ExifTool and Lnk Explorer to extract items of evidentiary value. Lastly, we'll look at Jump Lists, and use JumpList Explorer to explore the contents of those files.

Introduction to Windows Forensics:

LNK Files:

Forensic Analysis of LNK files:

Jump Lists:

4n6k Jump List AppID Master List:

ExifTool:

Lnk Explorer:

JumpList Explorer:

*** Additional Tools Referenced in This Video ***

Lnkanalyser:

Windows LNK Parsing Utility:

Internet Evidence Finder (IEF):

JumpLister:

JumpListsView:

Windows Jump List Parser:

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
  1. 13Cubed
  2. forensics
  3. digital forensics
  4. DFIR
  5. lnk file
  6. lnk files
Рекомендации по теме
LNK Files and 0:27:00

LNK Files and Jump Lists

Data Triage of 0:03:30

Data Triage of Windows Activity Timeline, Link Files & Jump Lists in E3 Forensic Platform

Episode 16: “Quick 0:03:06

Episode 16: “Quick Win” files #2 - Jumplists-Part 1

How to use 0:10:36

How to use Shortcut LNK Files on Windows - Malware Delivery Initial Access

How hackers use 0:07:16

How hackers use LNK files to maliciously download malware

LNK File Testing 0:23:45

LNK File Testing and New Findings (Discussion)

BlackBag Tip of 0:01:16

BlackBag Tip of the Day: Windows Jump Lists

How to get 0:01:14

How to get more items on the jump list on Windows 10

LNK Parser Tutorial 0:00:45

LNK Parser Tutorial

What is a 0:03:48

What is a 'Windows Recents Folder' Artifact. And How It Can Be Useful In DFIR Investigatio...

Utilizing Windows LNK 0:08:42

Utilizing Windows LNK Features for Phishing With Office Macro (Educational Video)

How to Manage 0:04:13

How to Manage and Clear Your Jump Lists in Windows

Analyzing Malicious Link 0:09:16

Analyzing Malicious Link Files - Identifying Initial Access Techniques

Tip of the 0:01:15

Tip of the Day: Windows Jump Lists in Cellebrite Inspector (Formerly BlackLight)

How to use 0:02:19

How to use Jump Lists in Windows 10

Windows Forensics | 0:31:36

Windows Forensics | Prefetch | Win 10 Timeline | Jump Lists | USB Forensics //Part 5

Episode 19: “Quick 0:02:59

Episode 19: “Quick Win” files #3 - .LNK files-Part 1

Windows 10 Jump 0:02:09

Windows 10 Jump Lists gives you quick access to doments or files used by an app in start menu

Episode 17: “Quick 0:03:21

Episode 17: “Quick Win” files #2 - Jumplists-Part 2

Windows 10 - 0:01:15

Windows 10 - How to clear recently opened files lists and Jump lists

Inside Windows Shortcuts 0:08:46

Inside Windows Shortcuts (LNK Files) [Part 1]

How to Clear 0:01:39

How to Clear & Stop Recent Items from a Jump List in Windows 10

Download and Run 0:03:00

Download and Run LNK File

Episode 20: “Quick 0:03:24

Episode 20: “Quick Win” files #3 - .LNK files-Part 2

Комментарии
Автор

26 minutes and I learn more here then I do in a 3 hour lecture... You're a great teacher, thank you

Christopher-yhhs
Автор

I really appreciate you making these videos. Every time I watch your videos I find out about tools I didn't know about.

TheKiller
Автор

No thank you for thanking your time to make this important knowledge available to the people!!!☺

yiefgko
Автор

Clear, concise, and easy to grasp. If you aren't a teacher by profession, you should be. Subbed. 👍
Would love to see you do a video picking apart Windows 10 OEM Telemetry structures.

MF-lefp
Автор

Good, factual, easy to understand and practical!

balazslendvay
Автор

Excellent presentation. Well organized and informative. Thank you so much.

AlexisBrignoni
Автор

MACB timestamps for executables of target files aren't included when lnk files are parsed by the tool and output saved to csv file, it would add more valuable artifacts. Thank you for your efforts, the videos are really incredible.

mohamedelbaz
Автор

in 3:38 what was he saying Program? Thank you!

bunnymusic
Автор

What did you mean when you mentioned "*lnk" in ftk imager? Can you do wildcard searches within Imager?

ryanhorton
Автор

Hey it would be really helpful if you can give quick guidance on SIDS role along access token ... ex ... which sid is used by domain admin and how do we detect other user information. All of above video's are extremely helpful and very well explained. Thank you .. please if you can provide your email address will be really helpful to contact you...

salvodercrasto