Windows Incident Response
Having an understanding of file formats is an important factor in DFIR work. In particular, analysts should understand what a proper file using a particular format should look like, so that they can see when something is amiss, or when the file itself has been manipulated in some manner.
Understanding file formats goes well beyond understanding PE file formats and malware RE. Very often, various Microsoft file formats include data, or metadata (defined as “data about data”) that can be mined/parsed, and then leveraged to tremendous effect, furthering overall analysis and intelligence development, often across multiple cases and campaigns.
LNK
Windows shortcut, or LNK files, have been covered extensively in this blog, as well as other blogs, in addition to having been well documented by MS. Suffice to say, LNK files can be leveraged by both good guys and bad guys, and if bad guys leverage them, so should the good guys…after all, the bad guys sending you an LNK file created in their environment is essentially just “free money”, particularly if you’re in CTI.
For example, the GOLDBACKDOOR report shows us a threat actor that sends an LNK file to their target, in a zip archive. So, the threat actor develops the LNK file in their environment, and sends that LNK file with all of it’s metadata to the target. Now, as a DFIR analyst, you may have a copy of a file created within the threat actor’s environment, one that contains information about their system(s). Why not take advantage of that metadata to develop a more meaningful threat intel picture?
Analysis of LNK files is similar to being an EOD tech (I would imagine)…you’re looking at the construction of a “device”, noting production mechanisms (based on tooling) as well as unique items that allow you to tie or “attribute” the LNK file in some manner. You can then leverage sites such as VirusTotal (via a retro-hunt) and populate your own MISP instance to build out a larger, more contextual threat intelligence picture. For example, consider the LNK file delivered as part of the File Formats