4. Page 4 of 22
Graded Lab Assessment
Observations of Results and Findings
Throughout the lab the examiner performed various exercises with each of the parsing tools on a
sample link file in order to gain familiarity with the capabilities of each of the parsing tools. The
tools used by the examiner to parse the link files were: lnk-parse-1.0.pl, lslnk.pl, and
lnkanalyser.exe. The parsing tool lnkanalyser.exe was a tool that was selected by the examiner
to replace the lab recommended lp.exe parsing tool. The lnkanalyzer.exe tool can be found and
downloaded from the woanware website:
http://www.woanware.co.uk/forensics/lnkanalyser.html. Each of the parsing tools provided the
examiner with information that identified the file’s: MAC times, working paths, volume ID and
serial number, and file’s size.
Using the various parsing tools the examiner performed the requested examination of the
provided link files. The name of the data folder and the names of the link files to be analyzed
can be seen in table 1.
File Name MD5
CYB652.2014.Spring.Week4.Samples.zip 8b605addb191d2d79682a174bfbe7a56
Mawg.jpg.lnk f46942cca5621ef29ef1b1de9ccdb2ee
Sample Pictures.lnk 44ecaa892a3ec3b14b32de7fbbad0bbc
Sunset.jpg.lnk ad7b92ff1524c1107d553429aa40b53e
temp.lnk ba967bee1a535f8fb490f252bbdcb9ea
Table 1: Data Folder and Link Files to be analyzed
Lnk-parse-1.0.pl
Lnk-parse-1.0.pl is a command line based parsing tool that is capable of parsing data from link
files on both Windows and Linux based OS. When using the tool on Windows the MAC times
were outputted using the machine’s local time; while the Linux OS presents the MAC times in
UTC. When the lnk-parse-1.0.pl tool was used to parse data from the four provided link files,
the tool would output: file name, link flags, file attributes, MAC times, file length, volume type,
volume serial number, and the base path. An example of the lnk-parse-1.0.pl tool’s output for
the Mawg.jpg.lnk file can be seen in figure 1. Screenshots of the link file’s outputs can be
viewed in Appendix A.
5. Page 5 of 22
Figure 1: lnk-parse-1.0.pl Output for Mawg.jpg.lnk
Lslnk.pl
Lslnk.pl is another command line based parsing tool that is capable of parsing link files on both
Windows and Linux based OS and the output is unaffected. When the examiner used the lslnk.pl
tool to parse data from the provided link files, the examiner noticed that the lslnk.pl tool provides
almost identical parsed metadata outputs about each of the files. But, the examiner noticed that
the lslnk.pl tool provides its MAC times in UTC instead of the host computer’s local time like
the previous tool. An example of an lslnk.pl output can be seen in figure 2 below. Screenshots
of the link file’s outputs can be viewed in Appendix A.
Figure 2: lslnk.pl Output for Mawg.jpg.lnk in UTC
Lnkanalyzer.exe
The lnkanalyzer.exe tool was selected by the examiner in order to replace the lp.exe parsing tool
that was unable to be used in the lab. Like the previous tools, lnkanalyzer.exe provides the
examiner with various parsed metadata about the .lnk file. However, unlike the other tools the
6. Page 6 of 22
lnkanalyze.exe tool provides the examiner with new parsed information called, “Tracker Data
Block” as seen in figure 3.
Figure 3: lnkanalyser.exe Output for Mawg.jpg.lnk
The Tracker Data Block provides information that can be used to identify the local machine’s
name and identify if a link file has been moved or copied from its original location.
Understanding and analyzing this information can provide the examiner with additional insight
about the link file associated with the original file. Screenshots of the link file’s outputs can be
viewed in Appendix A.
When using the various tools on the link files the examiner was able to view and analyze the
metadata and other artifacts for each of the files. The examiner observed an anomaly within the
MAC times when the file, “Sunset.jpg.lnk” was parsed with lnk-parse-1.0.pl and lslnk.pl. The
examiner noticed that the time offset for the “last modification” timestamp did not correspond to
the creation and last access times of the file.
7. Page 7 of 22
Discussion of Results
During the lab the examiner used various parsing tools on the provided link files in order to
examine the data contained within each of the link files. The examiner observed and analyzed
the various capabilities of each of the tools when parsing the link files and analyzed the various
outputs from each of the parsing tools. The examiner observed when using the parsing tools
throughout the lab, not one tool was capable of providing all of the information that was
available within the link files. But, each of the tools used throughout the lab was able to provide
data that could be analyzed to confirm the findings of each of the tools.
An example of this was seen when the lnk-parse-1.0.pl and lslnk.pl and lnkanalyser.exe tools
were used to parse data from the various link files. All the tools provided similar outputs from
the link files; but only the lnk-parse-1.0.pl tool provided file times that corresponded to the
machine’s local time, while the lslnk.pl and lnkanalyser.exe tools provided the file’s times in
UTC. Using the capabilities of each of these tools to analyze the link files allows the examiner
to compare and confirm outputted parsed data. The benefit of having tools that provide output
data based on the local machine’s time and UTC is that the file’s offset times can be calculated
and determined by the examiner. Using this additional information can help the examiner
determine the physical location of the local machine that was used to create the link files. An
additional benefit of knowing the offset MAC times for the files allows the examiner to identify
any anomalies within the link files. While performing the examination on the link files the
examiner came across such an anomaly with an individual file. When the examiner parsed the
file, “Sunset.jpg.lnk” the examiner noticed an anomaly within the MAC times of the link file. As
seen in figures 4 and 5 the file’s MAC offset times do not match throughout the file.
Figure 4: Local times of Sunset.jpg.lnk
-7
-7
+5
8. Page 8 of 22
Figure 5: Irregular time offsets for Sunset.jpg.lnk in UTC
While the creation and last accessed times have an offset of UTC -7 the last modified time has an
offset of UTC +5. , which leads the examiner to believe that anti-forensic measures may have
possibly been used on this specific file and additional analysis on this file would be required.
When an anomaly like this is seen in an investigation it’s a sign of possible data tampering by the
user, which would require the examiner to perform additional analysis on the file in order to
confirm or disregard this suspicion.
When using the lnkanalyser.exe tool on the various link files the examiner was provided
information about the file’s “Tracker Data Block.” The Tracker Data block provides the
examiner with specific information that is unique to the link file. As example of the Tracker
Data Block can be seen in figure 6 and an explanation of the Tracker Data Block can be found in
table 2.
9. Page 9 of 22
Figure 6: Tracker Data Block for temp.lnk
Tracker Data Block Explanation
MachineId:
vernmcc-965f0ee
Identifies the name of the local machine that
created the link file
NewVolumeId:
225ED670286A3846BD4A2A8C1314D862
Identifies the current volume where the file is
stored
NewObjectId:
0FAB4C438D03E2118B46000C2901A78E
Identifies the current ID associated with the
file
NewObjectId Timestamp:
9/21/2012 1:40:02 AM
Identifies the current file’s creation timestamp
NewObjectId Sequence Number:
2886
Identifies in what sequence the file was created
NewObjectId MAC Address:
00:0C:29:01:A7:8E
MAC address of the host computer
BirthVolumeId:
225ED670286A3846BD4A2A8C1314D862
Original volume ID that is assigned to the
created file
BirthObjectId:
0FAB4C438D03E2118B46000C2901A78E
Original object ID that is assigned to the MFT
for the created file
BirthObjectId Timestamp:
9/21/2012 1:40:02 AM
Original timestamp that is assigned to the
created file
BirthObjectId Sequence Number:
2886
Original sequence number that is assigned to
the created file
BirthObjectId MAC Address:
00:0C:29:01:A7:8E
Original MAC address that is assigned to the
created file
Table 2: Tracker Data Block Details Explained
By analyzing the information contained within the Tracker Data Block the examiner can identify
additional useful metadata information about the link file. This additional information can
provide additional insight about the file that has already been parsed by the previous forensic
tools.
Conclusion
After completing the analysis of the link files with the various parsing tools, the examiner was
able to gain further insight and understanding about the full capabilities of each of the parsing
tools. Throughout, the lab the examiner fully exercised each of the parsing tools on each of the
link files in order to collect various metadata about each of the link files. Having used the
various parsing tools throughout the lab on the link files the examiner was able to collect various
output data from each of the link files. With these findings the examiner was able to compare
output data from each of the tools and verify various metadata findings. It was through the use
of various parsing tools that the examiner was able to determine the link files’: MAC times,
working paths, volume ID and serial number, file sizes, machine ID, and determine whether the
file had been moved from its original location. By understanding the capabilities of each of the
10. Page 10 of 22
tools and what the outputted metadata means, the examiner was able to determine the time zone
offset from the local machine as UTC -7; as well as discover possible evidence of data tampering
occurring on one of the provided link files. Now understanding what possible metadata contents
can be stored in link files; the examiner now understands the importance of using parsing tools to
perform analysis on link files that are discovered during a forensic investigation.
