lifer - A forensics tool for Windows link file analyzer.

lifer – A forensics tool for Windows link file analyzer.

lifer is a Windows or *nix command-line tool inspired by the whitepaper ‘The Meaning of Link Files in Forensic Examinations’ by Harry Parsonage and available here ( It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it’s usefulness and publish it so that others can benefit.

The information extracted is in accordance with the Microsoft Open Specification Document ‘MS-SHLLNK’ which can be found online here( . At the time of writing most parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
+ Relevant output from IDList containers (which need reverse engineering – see ‘IDLIST.txt’)
+ Recognition of, and parsing of link file data within jump list (OLE) containers.

lifer v3.0.17

The lifer github project comes complete with a Visual Studio 2017 project solution so the easiest way to create a Windows executable is to install Visual Studio 2017 first. There is a free version (known as the ‘community’ version) available here. Once Visual Studio is installed:
1. Left-click on File->Open->Project/Solution and browse to the lifer.sln file to load the solution into Visual Studio.
2. On the Standard Toolbar, set the Solution Configuration options to those that suit your machine and preference (for example, I use: ‘x64’ and ‘Debug’)
3. Build the solution from the ‘Build’ menu or simply use the key combination: Ctrl+Shift+B
4. Provided there were no errors you should have an executable ‘lifer.exe’ file in the relevant sub-folder of your project.
5. At this point I usually open a Powershell terminal and navigate to the folder containing the executable which for me is done by issuing the command:

– then test the executable using the command:

Download and Use: