Module 10 – Course Overview

Module 10 – Course Overview

• Shortcut (link) files
  • <filename.ext.lnk> or <filename.lnk>
• Jump Lists
  • AutomaticDestinations
    • <AppID.automaticDestinations-ms>
  • CustomDestinations
    • <AppID.customDestinations-ms>
  Location (shortcut files and Jump Lists):
  
  C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
  Jump Lists are not visible in GUI, but by using command prompt we can discover AutomaticDestination and CustomDestination folders

  

  Automatic Destinations
  • contains embedded LNK file
  • appears when a user right-clicks app’s taskbar icon
  Custom Destinations
  • created when user pins app/item on a taskbar or Start Menu
  • possible to carve link files data from the file
  • contains embedded LNK file
  Tools we used:
  • cmd/PowerShell
  • Exiftool
  • WFA
  • EricZimmerman’s tools:
    • LECmd.exe
    • JLECmd.exe
    • JLECmdExplorer.exe
  Data we can uncover:
  • Original (Target) file name
  • Original location
  • File size (KB)
  • Accessed and Last Opened time
  • MAC address associated with target file
  • Type of storage
  • Machine name/vendor
  Complete Lesson