Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Link File & Jump List Parser

This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification V2, which was released on the 14th December 2011.

The script will parse the streams contained in 'lnk', 'customDestinations-ms' and 'automaticDestinations-ms' files specified by the user.

The 'customDestinations-ms' and 'automaticDestinations-ms' files are used to implement the jump-lists introduced with Windows 7.

Jump-lists extend the functionality of menu-items shown on the Windows start menu and task bar.

Jump-lists allow for additional application-control options but their forensic significance lies in the fact that they track recent file-activity over a significant length of time. This may include activity not tracked by other areas of the operating system, the shortcut link files maintained in a user's 'Recent' folder for instance.

Jump-lists also contain information that may enable the examiner to identify exactly which applications have been used to open a particular file.

The 'automaticDestinations-ms' file is a compound file as defined by the Microsoft [MS-CFB] Compound Binary File specification document. Shortcut-link streams stored in these files each have a name that is an index number in hex format.

Each 'automaticDestinations-ms' file will also contain one additional stream called 'DestList'. This is believed to act as a most-recently-used (MRU) index-list and will contain an entry for each sibling. This entry will contain a Windows DATETIME stamp, which usually represents the time the associated item was last opened.

The exact format of the 'customDestinations-ms' file isn't known but research has shown it to contain a concatenated list of shortcut-link streams.

Both the 'automaticDestinations-ms' and 'customDestinations-ms' are named using an application ID or hash that links their content to a particular application, process or function.

Lists of application IDs are available for download from the Internet. This script contains an embedded, tab-delimited application-ID list called 'Jump List App ID List.txt'.

When this script is executed, it will extract a copy of the embedded application-ID-list into the same folder as itself provided that a file of the same name doesn't already exist.

The embedded application-ID list is provided as a convenience and is used at the examiner's own risk. The list can be edited as needed or another list used in its place. Using an application-ID list is not obligatory.

The output of the script is in the form of a tab-delimited spreadsheet file that can be opened using Microsoft Excel or another compatible application. Note that a small amount of additional formatting may be necessary if any values in the output file aren't displayed correctly.

Download Now

Download Now


FAQ

Version: 3.0.1
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

11460 Downloads
187 Downloads in last 6 months