'lifer' is a Windows or *nix command-line tool inspired by the whitepaper 'The Meaning of Link Files in Forensic Examinations' by Harry Parsonage and available? here " rel="nofollow" target="_blank">http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf"> here . It started life as a lightweight tool that I wrote in order to extract certain information from link files to assist in enquiries I was making whilst working as a computer forensic analyst. Now I am retired but I am looking to expand it's usefulness and publish it so that others can benefit.
The information extracted is in accordance with the Microsoft Open Specification Document 'MS-SHLLNK' which can be found online? here " rel="nofollow" target="_blank">https://msdn.microsoft.com/en-us/library/dd871305.aspx"> here . At the time of writing most parts of specification version 3.0 are implemented. Over time however, I hope to bring the tool into line with the full current specification and also include other goodies such as:
Relevant output from IDList containers (which need reverse engineering - see 'IDLIST.txt')
Recognition of, and parsing of link file data within jump list (OLE) containers.