Description


This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification, which was originally released in 2010.

The script will parse the streams contained in 'lnk', 'customDestinations-ms' and 'automaticDestinations-ms' files specified by the user.

The 'customDestinations-ms' and 'automaticDestinations-ms' files are used to implement the jump-lists first introduced with Windows 7.

Jump-lists extend the functionality of menu-items shown on the Windows start menu and task bar. Their forensic significance lies in the fact that they track user activity over a significant length of time.

This may include activity not tracked by other areas of the operating system, e.g., the shortcut link files maintained in a user's 'Recent' folder.

Jump-lists also contain information that may enable the examiner to identify exactly which applications have been used to open a particular file.

The 'automaticDestinations-ms' file is a compound file as defined by the Microsoft [MS-CFB] Compound Binary File specification document. Shortcut-link streams stored in these files each have a name that is an index number in hex format.

Each 'automaticDestinations-ms' file will also contain one additional stream called 'DestList'. This is believed to act as a most-recently-used (MRU) index-list and will contain an entry for each sibling.

This DestList entry will contain a Windows DATETIME stamp, which usually represents the time the associated item was last opened. It will also contain a value indicating whether the associated item has been pinned, and if so, the position of the item in the pinned-items list.

The exact format of the 'customDestinations-ms' file isn't known, but research has shown it to contain a concatenated list of shortcut-link streams.

Both the 'automaticDestinations-ms' and 'customDestinations-ms' are named using an application-ID (hash) that links their content to a particular application, process or function.

This script contains an embedded, tab-delimited application-ID list called 'Jump List App ID List.txt' created from several Internet sources.

Upon execution, the script will extract a copy of the embedded application-ID-list into the same folder as itself. This will only take place if a file of the same name doesn't exist already.

The embedded application-ID list is provided as a convenience and is used at the examiner's own risk. The list can be edited as needed or another list used in its place. Note that using an application-ID list is not obligatory.

The output of the script is in the form of a tab-delimited spreadsheet file that can be opened using Microsoft Excel or another compatible application. Note that a small amount of additional formatting may be necessary if any values in the output file aren't displayed correctly.

This script was developed for use in EnCase training. For more details, please click the following link:

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Releases

Release
Size
Date
Link File & Jump List Parser 4.3.0
  |  
Aug 1, 2024
More info Less info
Product compatibility
EnCase App Central
Version 1.0
Release notes

Tested with:
EnCase Forensic 20.02.00.185

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-8-3-6225 | Wed Aug 28 17:13:31 PDT 2024