Shulou(Shulou.com)06/02 Report--

This article mainly explains the "Analysis of windows construction related user search LNK file", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "Analysis of windows construction related user search LNK file" bar!

Windows LNK format

The .lnk suffix is a file format in Windows that contains information that can be used to access other data objects in Windows Shell.

A LNK shortcut file is a Shell Item type that is automatically created by the Windows operating system when a user accesses the file through a supported application, but the user can also create it manually. LNK shortcut files typically contain metadata about the access file, including file name, file size, original path, timestamp, volume, system information, and network information. Fortunately, tools are now available to parse these files. In this article, we will use Eric Zimmerman's LECmd to demonstrate.

User searches for LNK files

Recently, Mandiant came across a LNK file format that we had not studied before, which is from the Windows Server 2012 R2 system, and the file path is similar to the following:

C:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ passw.lnkC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ gov.lnk

Forensic analysts can use the LNK shortcut file name to find out that the user has opened a file called passw or gov. Next, they can use tools like LECmd to recover additional metadata. In this way, the full file path of the accessed file, the timestamp of the accessed time and other types of forensics data can be obtained.

However, the previous LNK file does not expose additional metadata, and the following shows the LECmd analysis output for the passw.lnk file:

LECmd version 1.3.2.1Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/LECmd--- Header-Target created: Target modified: Target accessed: File size: 0 Flags: HasTargetIdList, IsUnicode, DisableKnownFolderTracking File attributes: 0 Icon index: 0 Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)-Target ID information (Format: Type = = > Value)-Absolute path: Search Folder\ passw-Users property view = = > Search Folder > > Property store (Format: GUID\ ID Description = = > Value) d5cdd505-2e9cMube 101bMube 9397-08002b2cf9ae\ AutoList = > VT_STREAM not implemented (yet) See extension block section for contents for now d5cdd505-2e9cMY 101bMY 9397-08002b2cf9ae\ AutolistCacheTime = > 1849138729510 d5cdd505-2e9cMY 101bMue 9397- 08002b2cf9ae\ AutolistCacheKey = > Search Results in Local Disk (C:) 0-Variable: Users property view = = > passw > > Property store (Format: GUID\ ID Description = = > Value) 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 2 (Description not available) = > VT_STREAM not implemented 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 8 (Description not available) = > passw 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 11 Item Type = > Stack 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 25 SFGAO Flags = > 805306372 b725f130-47ef-101a-a5f1-02608c9eebac\ 10 Item Name Display = = > passw--- End Target ID information-Extra blocks information-- > Property store data block (Format: GUID\ ID Description = = > Value) (Property store is empty)

We can see that there are some very interesting strings in the Target ID data field, such as "Search Folder\ passw" and "Search Results in Local Disk (C:)". For ease of comparison, we marked the standard LNK shortcut file (test file) in the data below. Note that the target file timestamp, file size, full file path, and other metadata.

LECmd version 1.3.2.1Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/LECmd--- Header-Target created: 2020-01-21 19:34:28 Target modified: 2020-01-21 19:34:28 Target accessed: 2020-01-22 21:25:12 File size: 4 Flags: HasTargetIdList, HasLinkInfo, HasRelativePath, HasWorkingDir, IsUnicode, DisableKnownFolderTracking File attributes: FileAttributeArchive Icon index: 0 Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.) Relative Path:..\ Desktop\ test.txtWorking Directory: C:\ Users\ Desktop--- Link information-- Flags: VolumeIdAndLocalBasePath > > Volume information Drive type: Fixed storage media (Hard drive) Serial number: Label: OSDisk Local path: C:\ Users\\ Desktop\ test.txt--- Target ID information (Format: Type = = > Value)-Absolute path: My Computer\ Desktop\ test.txt-Root folder: GUID = = > My Computer-Root folder: GUID = > Desktop-File = > test.txt Short name: test.txt Modified: 2020-01-21 19:34:30 Extension block count: 1-Block 0 (Beef0004)-Long name: test.txt Created: 2020-01-21 19:34:30 Last access: 2020-01-21 19:34:32 MFT entry/ Sequence #: 108919 sequence 8 (0x1A977/0x8)-End Target ID information-Extra blocks information-- > Tracker database block Machine ID: MAC Address: MAC Vendor: INTEL Creation: 2020-01-21 15:19:59 Volume Droid: Volume Droid Birth: File Droid: File Droid birth:

Fortunately, during a survey, we also parsed the user's NTUSER.DAT registry file and looked at the WorldWheelQuery key, which contains the detailed search history of user Explorer. Passw.lnk files suddenly become more interesting! The following is the parsing entry for this registry key:

Wordwheelquery v.20100330 (NTUSER.DAT) Gets contents of user's WordWheelQuery keySoftware\ Microsoft\ Windows\ CurrentVersion\ Explorer\ WordWheelQueryLastWrite Time Wed Nov 13 06:51:46 2019 (UTC) Searches listed in MRUListEx order14 Secret 6 passw 13 ccc 12 bbb 11 aaa 10 * .cfg 9 apple 8 dni 7 private 4 gov 5 air 3 intelsat 2 adhealthcheck 1 * .ps1 0 global

By analyzing the WorldWheelQuery registry keys and according to the MRUListEx order, we found that passw is the second most recent search entry in the user Explorer search record. MRUListEx is a registry key value that contains the order in which the user has recently searched for items, that is, the order in which the user has searched for content in Explorer. Passw also matches a previous LNK file that contains the string "Search Results in Local Disk (C:)", which means that this LNK file is related to user Explorer search results, so we can call it "user search LNK file" for the time being.

Nuance analysis

By querying the entries in the search history of user Explorer in the system, we find that not all search entries have corresponding user search LNK files. The following shows some of the LNK files and their corresponding file creation and modification timestamps. We found 15 searches related to the WorldWheelQuery registry key, but here only 4 users searched for LNK files.

2019-11-09 08:33:14 Created ModifiedC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ gov.lnk2019-11-09 09:29:11 Created2019-11-09 09:29:37 ModifiedC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ private.lnk2019-11-09 08:38:29 Created2019-11-13 06:47:56 ModifiedC:\ Users\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ passw.lnk2019-11-13 06:57:03 Created2019-11-13 06:57:25 ModifiedC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ Secret.lnk

In addition, we also found LNK file pairs with similar filenames created at the same time, both of which were created at 08:38:29 UTC on 2019-11-09:

C:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ passw.lnkC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ password.lnk

After further analysis, we find that when the user opens one of the files generated by the search results, the system will create a user search LNK file based on the search results of the explorer. If the user does not open the file returned by the search results, the user search LNK file will not be created.

In this example, the password.lnk file contains the target file metadata, pointing to the file T:\ directory\ password.txt. Passw.lnk contains only metadata for users to search for LNK files, such as the absolute path to Search Folder\ passw.

Based on the difference between the creation and modification timestamps of the passw.lnk file, we can know that the user searched for passw and opened the file in the search results:

2019-11-09 08:38:29 Created2019-11-13 06:47:56 ModifiedC:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ Recent\ passw.lnk

The second search for passw occurred on November 13, 2019, and this time, the user again used the search function of Windows Explorer to search for passw, but performed the search under the root directory of the C:\ drive, and clicked on a file named password2.txt in the search results. The resolution result of password2.lnk by LECmd is as follows:

LECmd version 1.3.2.1Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/LECmd--- Header-Target created: 2015-11-09 22:14:10 Target modified: 2010-01-11 16:57:11 Target accessed: 2015-11-09 22:14:10 File size: 19 Flags: HasTargetIdList, HasLinkInfo, HasRelativePath, HasWorkingDir, IsUnicode, DisableKnownFolderTracking File attributes: FileAttributeArchive Icon index: 0 Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.) Relative Path:..\\ password2.txtWorking Directory: C:\-Link information-Flags: VolumeIdAndLocalBasePath CommonNetworkRelativeLinkAndPathSuffix > > Volume information Drive type: Fixed storage media (Hard drive) Serial number: Label: (No label) Network share information Share name:\ Provider type: Share flags: ValidNetType Local path: C:\\ Common path:\ password2.txt--- Target ID information (Format: Type = = > Value)-Absolute path: Search Folder\ passw\ password2-Users property view = = > Search Folder > > Property store (Format: GUID\ ID Description = = > Value) d5cdd505-2e9c-101b-9397 -08002b2cf9ae\ AutoList = > VT_STREAM not implemented (yet) See extension block section for contents for now d5cdd505-2e9c-101b-9397-08002b2cf9ae\ AutolistCacheTime = > 1849138729510 d5cdd505-2e9c-101b-9397-08002b2cf9ae\ AutolistCacheKey = > Search Results in Local Disk (C:) 0-Variable: Users property view = = > passw > > Property store (Format: GUID\ ID Description = = > Value) 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 2 (Description not available) = = > VT_STREAM not implemented 1e3ee840-bc2b-476c -8237-2acd1a839b22\ 8 (Description not available) = > passw 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 11 Item Type = > Stack 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 25 SFGAO Flags = > 805306372 b725f130-47ef-101a-a5f1-02608c9eebac\ 10 Item Name Display = > passw-Variable: Users property view = = > Password2 > > Property store (Format: GUID\ ID Description = = > Value) 49691c90-7e17-101a-a91c-08002b2ecda9\ 3 Search Rank = > 0 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 25 SFGAO Flags = > 1077936503 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 32 Delegate ID List = > VT_VECTOR data not implemented (yet) See extension block section for contents for Now 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 11 Item Type = > .txt 28636aa6-953d-11d2-b5d6-00c04fd918d0\ 24 Parsing Name = > password2.txt 446d16b1-8dad-4870-a748-402ea43d788c\ 100 Thumbnail Cache Id = > 7524032674880659487 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 12 (Description not available) = > Null 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 20 (Description not available) = > 1 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 3 (Description not available) = > document 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 17 (Description not available) = > {1685D4AB-A51B-4AF1-A4E5-CEE87002431D} .merge Any 1e3ee840-bc2b-476c-8237-2acd1a839b22\ 8 (Description not available) = > C:\ \ password2.txt b725f130-47ef-101a-a5f1-02608c9eebac\ 4 Item Type Text = > Text Document b725f130-47ef-101a-a5f1-02608c9eebac\ 10 Item Name Display = > password2 b725f130-47ef-101a-a5f1-02608c9eebac\ 12 Size = > 19 b725f130-47ef-101a-a5f1-02608c9eebac\ 14 Date Modified = > 01True e3e0584c-b788 11 Description not available 16:57:11 006fdbaa-864f-4d1c-a8e8-e62772e454fe\ 11 (Description not available) = > 59 006fdbaa-864f-4d1c-a8e8-e62772e454fe\ 13 (Description not available) = > 1077936423 cf5be8c0-236c-4ad3-bace-cd608a2748d7\ 100 (Description not available) = > True e3e0584c-b788-4a5a-bb20-7f5a44c9acdd\ 6 Item Folder Path Display = = > C :\-End Target ID information-Extra blocks information-- > > Property store data block (Format: GUID\ ID Description = = > Value) (Property store is empty) > > Tracker database block Machine ID: MAC Address: MAC Vendor: VMWARE Creation: 2019-11-13 04:29:24 Volume Droid: Volume Droid Birth: File Droid: File Droid birth: the point here is Users' search for LNK files is only related to the search term, not to the search context. Thank you for your reading, the above is the "analysis of windows construction associated user search LNK file" content, after the study of this article, I believe you on the analysis of windows construction associated user search LNK file this problem has a deeper understanding, the specific use of the situation also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.