Get best of the week

Toxic Windows shortcuts: an old artifact not forgotten by hackers, but partially forgotten by forensics


In a previous article, we talked about a forensic artifact such as Windows 10 Timeline, utilities for analyzing it and what information can be extracted from it when investigating incidents. Today we’ll talk about Windows shortcuts. Igor Mikhailov, a specialist in the Laboratory of Computer Forensics Group-IB , tells in which attacks they are used and how to detect such files.

LNK files (windows shortcuts, shortcut files) are service files that are usually automatically created by the Windows operating system when a user opens files. Windows uses them for quick access to a specific file. Also, part of the LNK files can be manually created by the user, for example, for convenience.

Desktop shortcuts:


Location of LNK files


Traditionally, the majority of LNK files are located in the following ways:
For
Windows 7 — Windows 10 Operating Systems		C: \ Users \% User profile% \ AppData \ Roaming \ Microsoft \ Windows \ Recent
For operating system
Windows XP		C: \ Documents and Settings \% User profile% \ Recent

However, there are many other places where a researcher can find LNK files:

  • on the desktop (usually these shortcuts are created by users for quick access to documents and applications);
  • for documents opened in Microsoft Office, LNK files are located on the path: C: \ Users \% User profile% \ AppData \ Roaming \ Microsoft \ Office \ Recent \ (for Windows 7 — Windows 10 operating systems);
  • sometimes instead of documents, users send labels by e-mail, and, accordingly, the recipients download them. Therefore, the third place where shortcuts are found is the C: \ Users \% User profile% \ Downloads directory (for Windows 7 — Windows 10 operating systems);
  • in the Startup directory
  • etc.

Shortcuts in the Recent directory :


Shortcut content


Before Microsoft published information on the format of LNK files [1], researchers made attempts to independently describe this format [2, 3]. The complexity of the research was that different labels contain different information. And when switching from shortcut to shortcut, the amount of information contained in it about a particular file may change. In addition, in Windows 10, new fields appeared in LNK files, which were not in previous versions of the operating system.

So, what information does the LNK file contain? Belkasoft Evidence Center displays three sections with information about the LNK file: Metadata , Origin and File . Metadata

Section :


The most important information presented in the Metadata section :

  • the source file path and its timestamps (full path, access time to the target file (UTC), time to create the target file (UTC), time to modify the target file (UTC)).
  • type of drive;
  • volume serial number (drive serial number);
  • volume label
  • NetBIOS device name;
  • target file size (bytes) - the size of the file with which the label is associated.

In the screenshot above, there are the fields of the Droid file and the Original Droid file . DROID (Digital Record Object Identification) - an individual file profile. This structure (droid file) can be used by the Link Tracking Service to determine if the file has been copied or moved.

Section Origin :


File Section :


In the File section, the MAC address of the device on which the shortcut was created is given. This information can help identify the device on which the file was created.

It should be noted that the MAC address of the device recorded in the LNK file may differ from the real one. Therefore, this parameter is sometimes not reliable.

When conducting research, you should pay attention to the time stamps of the LNK file, since the time of its creation, as a rule, corresponds to either the time the user created this file or the time of the first access to the file associated with this shortcut. The file modification time usually corresponds to the time of the last access to the file with which the shortcut is associated.

LNK file recovery


The Recent directory , which is described above, contains up to 149 LNK files. What to do when the shortcut we need is removed? Of course, you need to try to restore it! LNK files can be restored using the file header signature hex: 4C 00 00 00 .

To set the file title, you need to go to the program menu: Tools - Settings , go to the Carving tab , click the Add button and create a new signature. You can read more about carving methods using Belkasoft Evidence Center in the article “Carving and its Implementations in Digital Forensics” [4].

Adding a custom signature (header):


The use of LNK files by attackers in information security incidents


Every Windows computer can have hundreds and thousands of shortcuts. Therefore, finding a shortcut used by attackers to compromise a computer is often no easier than a needle in a haystack.

Compromise of the attacked system


Over 90% of malware is spread via email. As a rule, malicious emails contain either a link to a network resource or a specially prepared document, when opened, malicious programs are downloaded to the user's computer. Also, hacker attacks often use LNK files. Malicious LNK file metadata

section :


As a rule, such an LNK file contains a PowerShell code that is executed when an user tries to open a shortcut sent to him. As you can see in the screenshot above, such shortcuts can be easily detected using Belkasoft Evidence Center: the metadata contains the path to the executable powershell.exe . The Arguments field shows the arguments to the PowerShell command and the encoded payload.

Securing a compromised system


One of the methods of using LNK files in hacker attacks is fixing in a compromised system. In order for “malware” to be launched every time the operating system starts up, you can create an LNK file with a link to the executable file of the malicious program (or, for example, a file containing the bootloader code) and place a shortcut at C: \ Users \% User profile% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup. Then, at the start of the operating system, the “malware” will start. Such shortcuts can be found in the File System tab of Belkasoft Evidence Center.

Shortcut PhonerLite.lnk at startup:


Exploring LNK Files


LNK files are a forensic artifact that has been analyzed by forensic scientists while exploring ancient versions of the Windows operating system. Therefore, in one way or another, the analysis of these files is supported by almost all forensic analysis programs. However, as Windows evolved, shortcut files evolved as well. Now there are fields in them, the display of which was previously considered inappropriate, and, accordingly, some forensic programs do not display these fields. Moreover, the analysis of the content of these fields is relevant in the investigation of information security incidents and hacker attacks.

To research LNK files, we recommend using Belkasoft Evidence Center, AXIOM (Magnet Forensics), LECmd (Eric Zimmerman's tools). These programs allow you to quickly analyze all the shortcut files located on the computer under study, and isolate those that need to be analyzed more thoroughly.

Exploring LNK Files with Belkasoft Evidence Center


Since virtually all the examples given above were prepared using the Belkasoft Evidence Center, there is no sense in describing it further.

Exploring LNK Files with AXIOM


AXIOM is currently one of the top forensic tools for computer forensics. Information collected by the program about shortcut files located in the Windows system under investigation is grouped in the Operating system section :


Field value displayed for a specific label:


As can be seen from the screenshot above, a command to launch PowerShell and a set of instructions that will be executed when the user clicks on the shortcut are integrated into the shortcut detected by the program. Such a label requires additional analysis from the researcher.

Exploring LNK Files with LECmd


The Eric Zimmerman's tools utility suite has proven itself in investigating incidents. This kit includes the LECmd command-line utility, which is designed to parse LNK files.

The amount of data about the analyzed LNK file that this utility displays is simply amazing.

Information extracted from the analyzed LNK file by the LECmd utility:




findings


LNK files are one of the oldest Windows artifacts known to computer forensics. However, it is used in hacker attacks, and its investigation should not be forgotten when investigating information security incidents.

A huge number of computer forensics programs support, to one degree or another, the analysis of this Windows artifact. However, not all of them display the contents of the label fields, the analysis of which is necessary during the investigation. Therefore, you should carefully approach the choice of software tools that will fall into the recruitment of a specialist investigating incidents.

PS Go to Group-IB's action-packed Telegram channel (https://t.me/Group_IB/) about information security, hackers and cyberattacks, Internet pirates, hacking star accounts and leaks. As well as exclusive photos and videos with the detention of cybercriminals, investigating sensational crimes step by step, practical cases using Group-IB technologies and, of course, recommendations on how to avoid becoming a victim on the Internet.

Sources
  1. [MS-SHLLINK]: Shell Link (.LNK) Binary File Format
  2. Windows Shortcut File format specification
  3. .., .., .., .. - (- ), « », , 2007.
  4. Igor Mikaylov. Carving and its Implementations in Digital Forensics

More articles:


All Articles