lifer - A forensics tool for Windows link file examinations (i.e. Windows shortcuts).

lifer – A forensics tool for Windows link file examinations (i.e. Windows shortcuts).

lifer‘ is a Windows or *nix command-line tool inspired by the whitepaper ‘The Meaning of Link Files in Forensic Examinations’ by Harry Parsonage and available here. It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it’s usefulness and publish it so that others can benefit.

lifer – A Windows link file analyser
Version: 3.0.7

The information extracted is in accordance with the Microsoft Open Specification Document ‘MS-SHLLNK’ which can be found online here. At the time of writing only parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
+ A full output conforming to all of the sections in the MS-SHLLINK documentation.
+ Relevant output from IDList containers
+ Recognition of, and parsing of link file data within jump list containers.

Installation:

Source: https://github.com/Paul-Tew