Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lnk metadata extraction #2308

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Lnk metadata extraction #2308

wants to merge 5 commits into from

Conversation

patrickdalla
Copy link
Collaborator

Extracts some info from LNK to save as metadata. They are useful to order and groups LNK files.

Also, some info is used to make the reference to the original file, if found. The suggested code uses the following rule:

  1. Use mft idx info to search in metaAddress metadata. If found, compares creationDate info between link file entry and found item to confirm the match.
  2. If first search fails, use the path info to find a potential match and confirm also with creationDate info.

It is not implemented (yet) but maybe some timestamp info can be extracted if considered relevant. I am not sure if the timestamps in LNK files are correspondent to the item when it was last opened using the LNK or when the LNK was created the first time.

@patrickdalla
'#2307 Puts LNKShortcutParser in second queue as it must find the
56fec05 
referenced item to make the reference.
@patrickdalla
'#2307 Creates propery to represent and save mft idx, so it can be used
b5df46e 
to search for items in the case later.
@patrickdalla
'#2307 Adds some info as Metadata to each LNK file parsed, and makes the
3efcc5f 
reference to any correspondent found item in case. The search is first
based on metaAddress (mft idx) and latter, if not successfull, on
relative path, after removing any volume letter info. The creationDate
info is compared to confirm the match.
@patrickdalla
'#2308 Initial code to extract origin timestamps also.
6d7439b
@patrickdalla
'#2308 Extracts source timestamps registered inside LNK as metadata
156b893 
info.
@patrickdalla patrickdalla marked this pull request as ready for review August 27, 2024 12:35
@patrickdalla
Copy link
Collaborator Author

I decided to extract source MAC timestamps info registered inside LNK only if they differ from source, or if the source could not be found in the case.

It is ready for review @lfcnassif

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@patrickdalla