Learn the difference between file system metadata and embedded metadata
Understand what data link files store and how to extract them
Learn how to use link file metadata to determine if files were executed and where they stored
Exporting Link files
After importing a file system image into FTK imager. Navigate to the Documents and Settings file to view all users and user files. In the users recent file directory, there is multiple .lnk files, these are symbolic files that reference a file and can provide a shortcut.
To analyse file creation and modification dates, view to file properties tab. For further examination export the files by highlighting and right-clicking then export
Analysing
For further analysis we will be using DART.
In DART.exe navigate to Windows Forensics -> LINK file previewer.
From here import the exported files from FTK Imager
Metadata Extraction
For files that you want to view the Metadata for, the tool MetaExtractor can be used, Import files such as .pdf or .txt. The view important information such as date modified, access, created. etc.
Metadata and link file analysis
Objectives
Exporting Link files
After importing a file system image into
FTK imager. Navigate to theDocuments and Settingsfile to view all users and user files. In the users recent file directory, there is multiple.lnkfiles, these are symbolic files that reference a file and can provide a shortcut.To analyse file creation and modification dates, view to file properties tab. For further examination export the files by highlighting and right-clicking then export
Analysing
For further analysis we will be using DART.
In DART.exe navigate to Windows Forensics -> LINK file previewer.
From here import the exported files from
FTK ImagerMetadata Extraction
For files that you want to view the Metadata for, the tool
MetaExtractorcan be used, Import files such as .pdf or .txt. The view important information such as date modified, access, created. etc.