This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification, which was originally released in 2010.
The script will parse the streams contained in 'lnk', 'customDestinations-ms' and 'automaticDestinations-ms' files specified by the user.
The 'customDestinations-ms' and 'automaticDestinations-ms' files are used to implement the jump-lists first introduced with Windows 7.
Jump-lists extend the functionality of menu-items shown on the Windows start menu and task bar. Their forensic significance lies in the fact that they track user activity over a significant length of time.
This may include activity not tracked by other areas of the operating system, e.g., the shortcut link files maintained in a user's 'Recent' folder.
Jump-lists also contain information that may enable the examiner to identify exactly which applications have been used to open a particular file.
The 'automaticDestinations-ms' file is a compound file as defined by the Microsoft [MS-CFB] Compound Binary File specification document. Shortcut-link streams stored in these files each have a name that is an index number in hex format.
Each 'automaticDestinations-ms' file will also contain one additional stream called 'DestList'. This is believed to act as a most-recently-used (MRU) index-list and will contain an entry for each sibling.
This DestList entry will contain a Windows DATETIME stamp, which usually represents the time the associated item was last opened. It will also contain a value indicating whether the associated item has been pinned, and if so, the position of the item in the pinned-items list.
The exact format of the 'customDestinations-ms' file isn't known, but research has shown it to contain a concatenated list of shortcut-link streams.
Both the 'automaticDestinations-ms' and 'customDestinations-ms' are named using an application-ID (hash) that links their content to a particular application, process or function.
This script contains an embedded, tab-delimited application-ID list called 'Jump List App ID List.txt' created from several Internet sources.
Upon execution, the script will extract a copy of the embedded application-ID-list into the same folder as itself. This will only take place if a file of the same name doesn't exist already.
The embedded application-ID list is provided as a convenience and is used at the examiner's own risk. The list can be edited as needed or another list used in its place. Note that using an application-ID list is not obligatory.
The output of the script is in the form of a tab-delimited spreadsheet file that can be opened using Microsoft Excel or another compatible application. Note that a small amount of additional formatting may be necessary if any values in the output file aren't displayed correctly.
This script was developed for use in EnCase training. For more details, please click the following link: