‘lifer‘ is a Windows or *nix command-line tool inspired by the whitepaper ‘The Meaning of Link Files in Forensic Examinations’ by Harry Parsonage and available here. It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it’s usefulness and publish it so that others can benefit.
The information extracted is in accordance with the Microsoft Open Specification Document ‘MS-SHLLNK’ which can be found online here. At the time of writing only parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
+ A full output conforming to all of the sections in the MS-SHLLINK documentation.
+ Relevant output from IDList containers
+ Recognition of, and parsing of link file data within jump list containers.
git clone https://github.com/Paul-Tew/lifer.git && cd lifer
gcc -Wall ./lifer.c ./liblife/liblife.c -o lifer
The lifer github project comes complete with a Visual Studio 2017 project solution so the easiest way to create a Windows executable is to install Visual Studio 2017 first. There is a free version (known as the 'community' version) available here. Once Visual Studio is installed:
- Left-click on File->Open->Project/Solution and browse to the lifer.sln file to load the solution into Visual Studio.
- On the Standard Toolbar, set the Solution Configuration options to those that suit your machine and preference (for example, I use: 'x64' and 'Debug')
- Build the solution from the 'Build' menu or simply use the key combination: Ctrl+Shift+B
- Provided there were no errors you should have an executable 'lifer.exe' file in the relevant sub-folder of your project.
- At this point I usually open a Powershell terminal and navigate to the folder containing the executable which for me is done by issuing the command:
- I then test the executable using the command: