I saw a question in a forum recently regarding Windows Shortcut Files, and thought I would post something that included my findings from a quick test.
The question had to do with the file MAC times found embedded in the .lnk file, with respect to those found on the file system (FAT32 in this case). The question itself got me curious, so I ran a quick test of my own.
I located a .lnk file in my profile's (on my own system) Recent folder (NTFS partition) and ran the lslnk.pl script from my book against it, extracting (in part) the embedded file times:
MAC Times:
Creation Time = Fri Nov 16 20:33:21 2007 (UTC)
Modification Time = Fri Nov 16 22:47:50 2007 (UTC)
Access Time = Fri Nov 16 20:33:21 2007 (UTC)
I then double-clicked the Shortcut file itself (from within Windows Explorer), launching the .pdf file. I closed the .pdf file and used "dir /ta" to verify that the last access time on the shortcut file and on the .pdf file itself had been updated to the current time (in this case, 7:29am EST). I re-ran the lslnk.pl script against the original shortcut file, and extracted the same MAC times as seen above.
BTW...the creation date on the .pdf file in question is 11/16/2007 03:33 PM...which is identical to the creation date embedded in the shortcut file, with the time zone taken into account.
Based on extremely limited testing, it would appear that the MAC times in the shortcut file do not change following the initial creation of the shortcut file.
Can anyone confirm/verify this, on NTFS as well as FAT32?
Showing posts with label shortcut. Show all posts
Showing posts with label shortcut. Show all posts
Sunday, December 02, 2007
Saturday, August 18, 2007
Copying Files
I've been party to or heard a good number of discussions lately regarding USB removable storage devices, and one of the topics that invariably comes up is, how can you determine which files were copied from the system to a thumb drive, or vice versa.
In most instances, folks are working only with the image of a system, and do not have access to the thumb drive itself. They can easily find the information that tells them when a thumb drive was first connected, and when it was last connected...and then the next question is, what files were or may have been copied to the thumb drive (or from the thumb drive to the system)?
The fact is that Windows systems do not maintain a record of file copies or moves...there is simply no way for a forensic analyst to look at the image of a system and say which files were copied off of the system onto a thumb drive. In order to determine this, you'd need to have the thumb drive (or other media) itself, and be able to see that you had two files of the same or similar size (you can also compare the files with md5deep or ssdeep), one of which is on each piece of media. From there, you could then check the file MAC times and possibly make some conclusions regarding the direction of transfer.
Many times in a conversation on this topic, someone will bring up Windows shortcuts or LNK files. To be honest, I'm not really sure why this comes up, it just seems to be the case. Shortcuts can be created manually, of course, but with regards to files, they are created when a user double-clicks a file, such as a Word document, to open it. Repeated testing on my part (including testing done by others) has yet to turn a method by which normal (as in "normal user activity") dragging-and-dropping a file or using the "copy" command will result in a Windows shortcut file being created.
Does anyone out there have any thoughts or input on tracking this kind of activity, having nothing more than a single system image to analyze? If so, I'd appreciate hearing from you.
In most instances, folks are working only with the image of a system, and do not have access to the thumb drive itself. They can easily find the information that tells them when a thumb drive was first connected, and when it was last connected...and then the next question is, what files were or may have been copied to the thumb drive (or from the thumb drive to the system)?
The fact is that Windows systems do not maintain a record of file copies or moves...there is simply no way for a forensic analyst to look at the image of a system and say which files were copied off of the system onto a thumb drive. In order to determine this, you'd need to have the thumb drive (or other media) itself, and be able to see that you had two files of the same or similar size (you can also compare the files with md5deep or ssdeep), one of which is on each piece of media. From there, you could then check the file MAC times and possibly make some conclusions regarding the direction of transfer.
Many times in a conversation on this topic, someone will bring up Windows shortcuts or LNK files. To be honest, I'm not really sure why this comes up, it just seems to be the case. Shortcuts can be created manually, of course, but with regards to files, they are created when a user double-clicks a file, such as a Word document, to open it. Repeated testing on my part (including testing done by others) has yet to turn a method by which normal (as in "normal user activity") dragging-and-dropping a file or using the "copy" command will result in a Windows shortcut file being created.
Does anyone out there have any thoughts or input on tracking this kind of activity, having nothing more than a single system image to analyze? If so, I'd appreciate hearing from you.
Subscribe to:
Posts (Atom)