Monday, December 16, 2013

Daily Blog #176: Sunday Funday 12/15/13 Winner!

Hello Reader,
               The challenge has once again been defeated! This week I had a tough time picking a winner as we had several good submissions. In order to pick a winner I went back to the rules and judged based on which answer was the most complete in its scope, but not necessarily in the depth. I had several longer submissions that went into great detail on how they found one method for these LNKs to websites being created, but only one submitter provided four examples. Congratulations go out to Ryan Tracey, you can congratulate him yourself if you go to the SANS DFIR Summit like he is now!

The Challenge:
You are analyzing a Windows 8.1 system and run across a lnk file in the suspects recent directory. The lnk file points to a website but the suspect has denied accessing it. Analyze the lnk files and explain how a lnk file to a website will be created in the a users recent folder in Windows 8.1

Download the LNKs here:
https://drive.google.com/file/d/0B_mjsPB8uKOAU2cwZUM4aEpQV2c/edit?usp=sharing

The Winning Answer:
 Ryan Tracey


I have very little experience with Windows 8, so I'm basing this answer off a test I ran in a Windows 8.1 VM. During my testing, I came across several scenarios where a lnk file to a website was generated.

1. Access the website through the Run Dialog.

2. Access the website through the Windows search charm.

3. Accessing the website from a lnk file (e.g. shortcut to http://192.168.1.1 from router configuration CD).

4. Accessing the website from a link in an application (e.g. Skype or Facebook).

After reviewing the list of targets from the files you provided, I think it's likely that there are additional scenarios in which a lnk file to a website will be created in a users recent folder.