{"id":15007143,"url":"https://github.com/paul-tew/lifer","last_synced_at":"2025-04-09T15:54:17.681Z","repository":{"id":64012725,"uuid":"86448206","full_name":"Paul-Tew/lifer","owner":"Paul-Tew","description":"Windows link file (shortcuts) examiner","archived":false,"fork":false,"pushed_at":"2024-06-09T15:55:42.000Z","size":677,"stargazers_count":68,"open_issues_count":1,"forks_count":10,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-23T18:11:28.211Z","etag":null,"topics":["forensic-examinations","linux-app","shortcut","windows","windows-app"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Paul-Tew.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-28T10:43:54.000Z","updated_at":"2025-03-06T20:33:22.000Z","dependencies_parsed_at":"2024-10-12T08:40:37.847Z","dependency_job_id":"6dd0573a-e13a-4ee7-9c0d-e2d70e7ff163","html_url":"https://github.com/Paul-Tew/lifer","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Paul-Tew%2Flifer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Paul-Tew%2Flifer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Paul-Tew%2Flifer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Paul-Tew%2Flifer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Paul-Tew","download_url":"https://codeload.github.com/Paul-Tew/lifer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248064762,"owners_count":21041863,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensic-examinations","linux-app","shortcut","windows","windows-app"],"created_at":"2024-09-24T19:04:35.249Z","updated_at":"2025-04-09T15:54:17.662Z","avatar_url":"https://github.com/Paul-Tew.png","language":"C","funding_links":[],"categories":["\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加"],"sub_categories":[],"readme":"# lifer\nA forensic tool for Windows link file examinations (i.e. Windows shortcuts)\n\n## SYNOPSIS\n\n'lifer' is a Windows or *nix command-line tool inspired by the whitepaper 'The Meaning of Link Files in Forensic Examinations' by Harry Parsonage and available [**here**](http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf).\nIt started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it's usefulness and publish it so that others can benefit.\n\nThe information extracted is in accordance with the Microsoft Open Specification Document 'MS-SHLLNK' which can be found online [**here**](https://msdn.microsoft.com/en-us/library/dd871305.aspx).\nAt the time of writing most parts of specification version 4.0 are implemented. \nI do hope to implement the parsing of unopened jump list files in the future.\n\n## EXAMPLE USAGE\nDetails of the files to be found in the Test directory and how to use them is given in the '.\\Test\\Tests.txt' file. What follows is a brief outline...\n\nOnce you have installed the tool, open a command-line shell (e.g. bash or Powershell) and from the './lifer/src' directory type:\n```\nlifer -s ./Test/Test1.lnk\n```\nThis should give the output:\n```\nLINK FILE -------------- .\\Test\\Test1.lnk\n{**OPERATING SYSTEM (stat) DATA**}\n  Last Accessed:       2017-04-18 20:28:19 (UTC)\n  Last Modified:       2017-04-18 20:28:19 (UTC)\n  Last Changed:        2017-04-18 20:28:19 (UTC)\n\n{**LINK FILE EMBEDDED DATA**}\n  {S_2.1 - ShellLinkHeader}\n    Attributes:          0x00000020   FILE_ATTRIBUTE_ARCHIVE\n    Creation Time:       2008-09-12 20:27:17 (UTC)\n    Access Time:         2008-09-12 20:27:17 (UTC)\n    Write Time:          2008-09-12 20:27:17 (UTC)\n    Target Size:         0 bytes\n  {S_2.3 - LinkInfo}\n    {S_2.3.1 - LinkInfo - VolumeID}\n      Drive Type:        DRIVE_FIXED\n      Drive Serial No:   307A8A81\n      Volume Label:      [EMPTY]\n      Local Base Path:   C:\\test\\a.txt\n  {S_2.4 - StringData}\n    {S_2.4 - StringData - RELATIVE_PATH}\n      Relative Path:     .\\a.txt\n    {S_2.4 - StringData - WORKING_DIR}\n      Working Dir:       C:\\test\n  {S_2.5 - ExtraData}\n    {S_2.5.10 - ExtraData - TrackerDataBlock}\n      MachineID:         chris-xps\n      Droid1:            {94C77840-FA47-46C7-B356-5C2DC6B6D115}\n      Droid2:            {7BCD46EC-7F22-11DD-9499-00137216874A}\n        UUID Sequence:     153\n        UUID Time:         2008-09-10 10:23:17 (UTC)\n        UUID Node (MAC):   00:13:72:16:87:4A\n```\nNOTE: The section above titled '{**OPERATING SYSTEM (stat) DATA**}' will have different dates as these will depend on the dates you installed and accessed that link file on your own system. The embedded data will be the same however.\n\nA more fulsome output (including more accurate timestamps) can be obtained by omitting the '-s' option.\n\nThe most detail about a link file can be gleaned by using the '-i' option which will print known details about any idlist objects too. This option is not compatible with the '-s' option.\n\nAll the link files in a directory (folder) can be parsed by just passing the name of the directory:\n```\nlifer ./src/Test/WinXP\n```\n(for brevity the output has not been shown).\n\nThe most useful output for a number of link files can be created by sending the output as a tab (or comma) separated list to a file that can then be imported into a spreadsheet for analysis at your leisure. This can be achieved like this:\n```\nlifer -o tsv ./src/Test/WinXP \u003e WinXP.tsv\n```\nor\n```\nlifer -so tsv ./src/Test/WinXP \u003e WinXP.tsv\n```\nfor a file that has some of the superfluous and uninteresting data redacted.\n### WARNING ABOUT COMMA SEPARATED OUTPUT!!\nStrings within link files can sometimes contain commas. Because this causes a conflict with the field separator any commas within strings have been replaced with semi-colons (i.e. ',' replaced with ';'). This is only true for the '-o csv' option and not the default '-o txt' or the '-o tsv' and '-o xml' options.\n\n## INSTALLATION FROM RELEASE\nVisit the [**Releases Page**](https://github.com/Paul-Tew/lifer/releases) and choose the appropriate executable file for your machine from the latest release and download it.\nRename the executable to 'lifer' (or 'lifer.exe' for windows). Ensure it has the correct attributes to run as an executable file and either place it in a folder containing the link files you want to examine or add the location to your PATH variable and you'll be good to go.\n\n## INSTALLATION FROM SOURCE\nThe first thing to do is to ensure you have git installed on your machine/device; in a command-line shell, change to your desired project root directory and issue the command:\n```\ngit clone https://github.com/Paul-Tew/lifer.git\n```\nA new directory named 'lifer' will be created.\n\n#### LINUX INSTALLATION (and other *nix platforms)\n(This may work for Mac installations but I don't have the kind of money needed to test it out for sure...)\nBecause this tool is pretty basic, the dependencies are minimal, ensure you have the 'gcc' compiler and the relevant 'libc' development libraries installed, that's all.\nStart a command-line terminal and navigate to the **./lifer/src** directory.\nIssue the command:\n```\ngcc -Wall ./lifer.c ./liblife/liblife.c ./libbin2hex/libbin2hex.c -o lifer\n```\nProvided no warnings or errors appeared, you should now have an executable file 'lifer' sitting in the directory, you might want to check this by issuing the command:\n```\nls -la\n```\nIf all is OK then you can test that lifer works by testing it out on the file specified in the Microsoft document which I included as part of the git repository you cloned and should be sitting in the ./Test/ directory. You can do this by issuing the command:\n```\n./lifer ./Test/Test.lnk\n```\nYou can also test that lifer works on a bunch of link files sitting in a directory by issuing the command:\n```\n./lifer ./Test/WinXP/\n```\nInstall the tool onto the OS by issuing the command:\n```\nsudo install ./lifer /usr/bin/\n```\nThis will enable you to use lifer anywhere on your system without specifying the directory prefix (e.g. `lifer ./Test/Test.lnk` rather than `./lifer ./Test/Test.lnk`)\n\n#### WINDOWS INSTALLATION\nThe lifer github project comes complete with a Visual Studio 2017 project solution so the easiest way to create a Windows executable is to install Visual Studio 2017 first. There is a free version (known as the 'community' version) available [here](https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community\u0026rel=15).\nOnce Visual Studio is installed:\n* Left-click on **File-\u003eOpen-\u003eProject/Solution** and browse to the **lifer.sln** file to load the solution into Visual Studio.\n* On the Standard Toolbar, set the Solution Configuration options to those that suit your machine and preference (for example, I use: 'x64' and 'Debug')\n* Build the solution from the 'Build' menu or simply use the key combination: **Ctrl+Shift+B**\n* Provided there were no errors you should have an executable 'lifer.exe' file in the relevant sub-folder of your project.\n* At this point I usually open a Powershell terminal and navigate to the folder containing the executable which for me is done by issuing the command:\n```\ncd \"F:\\\\lifer\\src\\x64\\Debug\\\"\n```\n* I then test the executable using the command:\n```\n.\\lifer.exe ..\\..\\Test\\Test1.lnk\n```\n---\nIt is possible to make lifer in Windows without installing Visual Studio but you will still need to download and install the Visual C++ build tools available [here](http://landinghub.visualstudio.com/visual-cpp-build-tools)\nOnce installed, lifer can be built in the ./src/ directory by issuing the command:\n```\nCL lifer.c .\\liblife\\liblife.c .\\Win\\dirent.c .\\Win\\getopt.c .\\libbin2hex\\libbin2hex.c\n```\n## ACKNOWLEDGEMENTS\n'lifer' was originally a Linux/GNU only tool which was not really portable into Windows until I found solutions to the main stumbling blocks of navigating a directory and parsing the command-line options in the same way that GNU does. To this end I am deeply indebted to the following two projects:\n1. [dirent](http://www.two-sdg.demon.co.uk/curbralan/code/dirent/dirent.html)     Kevlin Henney\n2. [getopt](https://www.codeproject.com/articles/157001/full-getopt-port-for-unicode-and-multibyte-microso)     Ludvik Jerabek\n\n## INTERPRETATION OF OUTPUT\nUsers are encouraged to read the [whitepaper](http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf) before assigning any meaning to results. No results should be ascribed to this tool without a FULL understanding of what the output represents; this particularly applies to matters of fact for determination in a court of law. In such cases it is incumbent on the user to understand both of the aformentioned documents fully as well as having a comprehensive grasp on how Windows and other OS's treat the creation, moving, deletion of such files. A working knowledge of how 'lifer' has interpreted and presented the data is also needed (this requires reading and **understanding** the code).\n\n## INFORMAL DISCLAIMER\nI am only a self-taught programmer so no doubt there are loads of errors and 'gotchas' in the code. To this end, I make absolutely NO promises that this tool won't harm your system. I tried hard not to bust your machine but the road to hell is paved with good intentions...\n## FORMAL DISCLAIMER\nTHIS MATERIAL IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT WILL I BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES FOR ANY USE OF THIS MATERIAL INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE ARE EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\n\nPaul Tew - March 2020\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaul-tew%2Flifer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaul-tew%2Flifer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaul-tew%2Flifer/lists"}