LinkAlyzer

LinkAlyzer is a forensic tool that decodes and displays the content of multiple link files (Windows Shortcuts) at the same time.

LinkAlyzer Loads multiple (tested on 40,000+) link files into a grid and Displays :
• Internal dates (when the file pointed to by the link files was craeted/modifed and accessed)
• Path
• Relative path
• Share name
• Vol name and Serial Number
• Decodes and displays ObjID’s if present including dates and volume ID's and MAC addresses
• Working Dir and Command line



LinkAlyzer allows you to
• sort and filter by column (i.e. group all files that reside on CDROM, or all files from a • particular MAC address)
• Carve link files from disk/volume/file or encase image
• Export to HTML/CSV/XML/XLS
• Tag files and Create a HTML report

Use LinkAlyzer to determine:
• which link files point to a specific bit of media
• which folders have been shared
• the serial numbers of disks that have been attached to the computer
• dates and times when a computer was booted
• that a file has been moved from a different computer (and determine its MAC address)
• that a file has been moved between volumes on the same computer

OBJID' are a unique number created to help Microsoft track files. The relevance to the forensics practitioner is that to try and guarantee uniqueness they (usually) use the MAC address from the network card along with the date and time (and some other bits of data) to form the ObjID. They can in some circumstances have the MAC address of both the current card AND the original (birth) machine that the file was created on. LinkAlyzer displays and decodes these items.

LinkAlyzer can also show the VolumeID stored in a link file, this can show that a file has been moved from one volume to another.

LinkAlyzer can be purchased by selecting the purchase software link from the site menu and a demonstration version can be downloaded by clicking here.