Tuesday, 7 November 2017

IRIS-H (alpha): Added support for Shell Link (.LNK) files

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API & UI
Short Description: Shell Link (.LNK) file format parser has been added to API component. Cosmetic changes to UI to align new data view with the existing format.
Outstanding Tasks: Implement support for missing Extra Data Blocks

Detailed Summary

New binary data parser has been added to IRIS-H service. It can handle processing and extracting digital artifacts from Shell Link (.LNK) files. The service now accepts LNK files through Submission page and can also automatically detect them embedded into submitted documents. In either case, the report page will display extracted binary data enriched with human readable description. The enrichment process references the official Microsoft specification for [MS-SHLLINK] Binary File Format.

The parser fully supports the following LNK file structures:

  • ShellLinkHeader
  • LinkTargetIDList
  • LinkInfo
  • StringData
ExtraData structure is partially supported at this time. Only the following Data Blocks will be processed:
  • EnvironmentVariableDataBlock
  • KnownFolderDataBlock
  • SpecialFolderDataBlock
  • TrackerDataBlock
  • PropertyStoreDataBlock
Once all binary data is extracted, it'll be subject to a rule-based evaluation. The conclusion will be drawn if the submitted or embedded LNK file can be harmful. IRIS-H will attempt to reconstruct the command line including arguments if any. Below is an example of rule-based evaluation results.

LNK file rule-based evaluation results
A few new sections have been added to "Informational Findings" panel. The sections display information relevant to the LNK file target; file path, working directory, relevant path, command-line arguments, etc. One particular section - "Link Target Tracking" will contain the evaluation results of the data stored in the following Data Blocks:
  • Droid Volume Identifier
  • Droid File Identifier
  • Birth Droid Volume Identifier
  • Birth Droid File Identifier
Based on this data, IRIS-H will try to identify if the link target file was moved between the volumes on the original computer or if it was moved to another machine. For more information see page 10 of this PDF. Below is an example of "Informational Findings" view.

LNK file Informational Findings example
"Detailed Components Breakdown" section of the report contains all the data IRIS-H could extract from an LNK file. I was personally surprised to find out how much those little files actually contain. For example, TrackerDataBlock holds the Link Target originator machine's NetBIOS name and MAC address. See below for an example.

Data derived from TrackerDataBlock

ShellLinkHeader section contains time stamps associated with Link Target, as well as, its file attributes, the type of the media it resides on(hard disk, USB, network, etc), media serial number and even command line window state. See below for an example.

Data derived from ShellLinkHeader
In addition, IRIS-H will attempt to resolve "Known Folder" GUID and "Special Folder" ID and display their corresponding descriptions. See an example below.

Enriched data derived from KnownFolderDataBlock and SpecialFolderDataBlock
Examples of full reports can be found on the links below: - embedded LNK file found in a Microsoft Office document.

No comments:

Post a Comment