Forensic analysis of recently accessed files - LNK (Linklist) analysis

-
Part of the series (2 of 3) Windows artifact analysis.

LNK files, also called link lists in some sources, are created automatically by Windows operating system when user interacts with documents, apps and folders. LNK file is also can be described as the list of shortcut files which is shown when user right clicks on the file explorer image on the taskbar, as shown below, as these shortcut files are shown based on latest access time and frequency:
















As we all know, that list up here is modifiable and limited with recently accessed few files. So how are LNK files can help us from the forensic perspective?

Even though user is able to remove that list shown above, Windows still keeps trace of those files and also the list is lot longer that it appears on the taskbar. Complete list of recently accessed files, docs, apps and folders can be found in "C:\Users\%User%\Recent" location, or simply click Windows, type "run" and enter "recent" to the command window. 










Later then, these files can be opened, re-located and examined if they are still existing on the computer hard drive.

Detecting .LNK files in EnCase

Also, LNK files can easly be detected on EnCase, with their extension. LNK files, just like their names have the .lnk or .LNK extensions. By sorting files by their extension, LNK files can be found all together and can be exported using one of EnCase's file exporter EnPacks. After exporting process completed, each file is extracted with its native extension. So exported files can be opened and examined easily once extracted.

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

Setting up FTK Imager on Ubuntu OS installed USB Drive

-
One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...
Devamı

Extracting hash values from MS Office files using John The Ripper on Linux

-
Resim
Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...
Devamı

Cracking password protected MS Office files using Hashcat

-
Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...
Devamı