Link File & Jump List Parser
This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification V2, which was released on the 14th December 2011.
The script will parse the streams contained in 'lnk', 'customDestinations-ms' and 'automaticDestinations-ms' files specified by the user.
The 'customDestinations-ms' and 'automaticDestinations-ms' files are used to implement the jump-lists introduced with Windows 7.
Jump-lists extend the functionality of menu-items shown on the Windows start menu and task bar.
Jump-lists allow for additional application-control options but their forensic significance lies in the fact that they track recent file-activity over a significant length of time. This may include activity not tracked by other areas of the operating system, the shortcut link files maintained in a user's 'Recent' folder for instance.
Jump-lists also contain information that may enable the examiner to identify exactly which applications have been used to open a particular file.
The 'automaticDestinations-ms' file is a compound file as defined by the Microsoft [MS-CFB] Compound Binary File specification document. Shortcut-link streams stored in these files each have a name that is an index number in hex format.
Each 'automaticDestinations-ms' file will also contain one additional stream called 'DestList'. This is believed to act as a most-recently-used (MRU) index-list and will contain an entry for each sibling. This entry will contain a Windows DATETIME stamp, which usually represents the time the associated item was last opened.
The exact format of the 'customDestinations-ms' file isn't known but research has shown it to contain a concatenated list of shortcut-link streams.
Both the 'automaticDestinations-ms' and 'customDestinations-ms' are named using an application ID or hash that links their content to a particular application, process or function.
Lists of application IDs are available for download from the Internet. This script contains an embedded, tab-delimited application-ID list called 'Jump List App ID List.txt'.
When this script is executed, it will extract a copy of the embedded application-ID-list into the same folder as itself provided that a file of the same name doesn't already exist.
The embedded application-ID list is provided as a convenience and is used at the examiner's own risk. The list can be edited as needed or another list used in its place. Using an application-ID list is not obligatory.
The output of the script is in the form of a tab-delimited spreadsheet file that can be opened using Microsoft Excel or another compatible application. Note that a small amount of additional formatting may be necessary if any values in the output file aren't displayed correctly.