lnk-forensic 0.3.0

Forensic anomaly auditor for Windows Shell Link (.lnk) files — removable-media targets (volume serial join key to peripheral-forensic), network-share targets, and TrackerDataBlock machine attribution as graded report::Finding, built on lnk-core
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367

//! `lnk-forensic` — graded anomaly auditor over Windows Shell Link (`.lnk`) files.
//!
//! Consumes a [`lnk_core::ShellLink`] and emits
//! [`forensicnomicon::report::Finding`]s. Every anomaly is an **observation**
//! ("consistent with …"); the examiner draws the conclusions. MITRE techniques
//! are narrated as consistency, never as a verdict.

#![forbid(unsafe_code)]

use forensicnomicon::jumplist::appid_name;
use forensicnomicon::report::{Category, Finding, Observation, Severity, Source};
use lnk_core::{drive_type, JumpList, ShellLink};

/// A graded Shell Link anomaly.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum LnkAnomaly {
    /// The link's `VolumeID` describes a removable/external volume — the target
    /// file was opened from external media. MITRE T1052.001 / T1091.
    ///
    /// `drive_serial` is the **join key** to a peripheral `DeviceConnection`:
    /// the same volume serial recorded against a USB mass-storage connection ties
    /// this opened file to that physical device.
    RemovableMediaTarget {
        /// The `VolumeID.DriveType` value.
        drive_type: u32,
        /// The `VolumeID.DriveSerialNumber` — the join key to peripheral-forensic.
        drive_serial: u32,
        /// The local base path on the removable volume, when known.
        path: Option<String>,
    },
    /// The link carries a `CommonNetworkRelativeLink` — the target was opened
    /// from a network share. MITRE T1021.
    NetworkTarget {
        /// The UNC / network share name, when known.
        net_name: Option<String>,
    },
    /// The `TrackerDataBlock` records the origin machine's NetBIOS name —
    /// attribution evidence tying the link to the machine it was authored on.
    TrackerMachine {
        /// The recorded origin machine NetBIOS name.
        machine_id: String,
    },
}

impl LnkAnomaly {
    /// The stable, published anomaly code (scheme-prefixed SCREAMING-KEBAB).
    #[must_use]
    pub fn code(&self) -> &'static str {
        match self {
            Self::RemovableMediaTarget { .. } => "LNK-REMOVABLE-MEDIA-TARGET",
            Self::NetworkTarget { .. } => "LNK-NETWORK-TARGET",
            Self::TrackerMachine { .. } => "LNK-TRACKER-MACHINE",
        }
    }
}

impl Observation for LnkAnomaly {
    fn severity(&self) -> Option<Severity> {
        Some(match self {
            Self::RemovableMediaTarget { .. } => Severity::Medium,
            Self::NetworkTarget { .. } => Severity::Low,
            Self::TrackerMachine { .. } => Severity::Info,
        })
    }

    fn code(&self) -> &'static str {
        LnkAnomaly::code(self)
    }

    fn category(&self) -> Category {
        match self {
            Self::RemovableMediaTarget { .. } | Self::NetworkTarget { .. } => Category::Threat,
            Self::TrackerMachine { .. } => Category::Provenance,
        }
    }

    fn mitre(&self) -> &'static [&'static str] {
        match self {
            Self::RemovableMediaTarget { .. } => &["T1052.001", "T1091"],
            Self::NetworkTarget { .. } => &["T1021"],
            Self::TrackerMachine { .. } => &[],
        }
    }

    fn note(&self) -> String {
        match self {
            Self::RemovableMediaTarget {
                drive_type,
                drive_serial,
                path,
            } => format!(
                "the link target resolves to a removable/external volume \
                 (drive_type {drive_type}, drive serial {drive_serial:#010X}{}); consistent with a \
                 file opened from external media (MITRE T1052.001 / T1091). The volume serial is \
                 the join key to a peripheral device connection",
                path.as_deref()
                    .map_or_else(String::new, |p| format!(", path {p:?}"))
            ),
            Self::NetworkTarget { net_name } => format!(
                "the link carries a network relative link{}; consistent with a file opened from a \
                 network share (MITRE T1021)",
                net_name
                    .as_deref()
                    .map_or_else(String::new, |n| format!(" to {n}"))
            ),
            Self::TrackerMachine { machine_id } => format!(
                "the tracker block records the origin machine {machine_id:?}; consistent with the \
                 link having been authored on that machine (attribution)"
            ),
        }
    }
}

/// Audit a [`ShellLink`] into a typed [`LnkAnomaly`] stream.
#[must_use]
pub fn audit(link: &ShellLink) -> Vec<LnkAnomaly> {
    let mut out = Vec::new();

    if let Some(info) = &link.link_info {
        if let Some(vol) = &info.volume_id {
            if is_removable_volume(vol.drive_type, vol.drive_serial_number) {
                out.push(LnkAnomaly::RemovableMediaTarget {
                    drive_type: vol.drive_type,
                    drive_serial: vol.drive_serial_number,
                    path: info.local_base_path.clone(),
                });
            }
        }
        if let Some(cnrl) = &info.common_network_relative_link {
            out.push(LnkAnomaly::NetworkTarget {
                net_name: cnrl.net_name.clone(),
            });
        }
    }

    if let Some(tracker) = &link.tracker {
        if !tracker.machine_id.is_empty() {
            out.push(LnkAnomaly::TrackerMachine {
                machine_id: tracker.machine_id.clone(),
            });
        }
    }

    out
}

/// Whether a `VolumeID` describes external/removable media.
///
/// A `DRIVE_REMOVABLE` drive type is the explicit signal; some links record a
/// `DRIVE_FIXED`/unknown type for a removable volume but still carry a non-zero
/// drive serial, which by itself does not prove removability — so the removable
/// finding fires only on the explicit `DRIVE_REMOVABLE` type. The serial is
/// always surfaced as the cross-artifact join key regardless of type.
fn is_removable_volume(drive_type: u32, _drive_serial: u32) -> bool {
    drive_type == drive_type::REMOVABLE
}

/// Audit and convert directly to graded [`Finding`]s.
#[must_use]
pub fn audit_findings(link: &ShellLink, scope: impl Into<String>) -> Vec<Finding> {
    let src = source(scope);
    audit(link)
        .iter()
        .map(|a| a.to_finding(src.clone()))
        .collect()
}

/// The [`Source`] stamp for findings this analyzer emits.
#[must_use]
pub fn source(scope: impl Into<String>) -> Source {
    Source {
        analyzer: "lnk-forensic".to_string(),
        scope: scope.into(),
        version: Some(env!("CARGO_PKG_VERSION").to_string()),
    }
}

// ── Jump List anomalies ───────────────────────────────────────────────────────

/// A graded Jump List anomaly, layered on top of the per-link [`LnkAnomaly`]
/// findings (each embedded shell link is audited with [`audit`] for free).
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum JumpListAnomaly {
    /// A `DestList` entry is pinned — the user deliberately fixed this target to
    /// the application's Jump List. Provenance, not suspicious on its own.
    PinnedTarget {
        /// The pinned target path recorded in the `DestList`.
        path: String,
    },
    /// A `DestList` entry's origin hostname has no match to the acquisition host
    /// — consistent with the artifact (or the target) having originated on a
    /// different machine. We state only "no match to the acquisition host".
    CrossMachine {
        /// The origin hostname recorded in the `DestList`.
        hostname: String,
        /// The acquisition host the hostname was compared against.
        acquisition_host: String,
    },
    /// A `DestList` entry records MRU recency: a last-access time and an access
    /// count — the application's own usage history for this target.
    MruRecency {
        /// The target path.
        path: String,
        /// Access count (Windows 10/11 `DestList`), when present.
        access_count: Option<u32>,
        /// Last-access time, Unix epoch seconds.
        last_access: i64,
    },
    /// The Jump List's `AppID` resolves to a known application — provenance for
    /// which program owns this MRU history.
    AppIdIdentified {
        /// The `AppID` (lowercase hex).
        app_id: String,
        /// The resolved application name.
        application: &'static str,
    },
}

impl JumpListAnomaly {
    /// The stable, published anomaly code.
    #[must_use]
    pub fn code(&self) -> &'static str {
        match self {
            Self::PinnedTarget { .. } => "JUMPLIST-PINNED-TARGET",
            Self::CrossMachine { .. } => "JUMPLIST-CROSS-MACHINE",
            Self::MruRecency { .. } => "JUMPLIST-MRU-RECENCY",
            Self::AppIdIdentified { .. } => "JUMPLIST-APPID-IDENTIFIED",
        }
    }
}

impl Observation for JumpListAnomaly {
    fn severity(&self) -> Option<Severity> {
        Some(match self {
            Self::PinnedTarget { .. } | Self::CrossMachine { .. } => Severity::Low,
            Self::MruRecency { .. } | Self::AppIdIdentified { .. } => Severity::Info,
        })
    }

    fn code(&self) -> &'static str {
        JumpListAnomaly::code(self)
    }

    fn category(&self) -> Category {
        match self {
            Self::MruRecency { .. } => Category::History,
            Self::PinnedTarget { .. }
            | Self::CrossMachine { .. }
            | Self::AppIdIdentified { .. } => Category::Provenance,
        }
    }

    fn note(&self) -> String {
        match self {
            Self::PinnedTarget { path } => format!(
                "the Jump List entry for {path:?} is pinned; consistent with the user having \
                 deliberately fixed this target to the application's Jump List"
            ),
            Self::CrossMachine {
                hostname,
                acquisition_host,
            } => format!(
                "the Jump List entry records origin hostname {hostname:?}, which has no match to \
                 the acquisition host {acquisition_host:?}; consistent with the target having been \
                 accessed from, or the artifact having originated on, a different machine"
            ),
            Self::MruRecency {
                path,
                access_count,
                last_access,
            } => format!(
                "the Jump List records MRU recency for {path:?} (access count {}, last access \
                 {last_access}); consistent with the application's own usage history for this \
                 target",
                access_count.map_or_else(|| "unknown".to_string(), |c| c.to_string())
            ),
            Self::AppIdIdentified {
                app_id,
                application,
            } => format!(
                "the Jump List AppID {app_id} is consistent with the application {application:?}"
            ),
        }
    }
}

/// Audit a [`JumpList`] into graded [`Finding`]s.
///
/// Runs the existing per-link [`audit`] over **every** embedded shell link
/// (so removable-media / network / tracker findings come for free), then adds
/// the Jump-List-level findings: pinned targets, cross-machine origin
/// hostnames (compared against `acquisition_host`), MRU recency, and a resolved
/// `AppID`. `acquisition_host` is the examiner's host for the cross-machine
/// comparison; pass `None` to skip that check.
#[must_use]
pub fn audit_jumplist(
    jl: &JumpList,
    acquisition_host: Option<&str>,
    scope: impl Into<String>,
) -> Vec<Finding> {
    let src = source(scope);
    let mut out = Vec::new();

    // The AppID is a property of the whole list — emit it once.
    if let Some(app_id) = &jl.app_id {
        if let Some(application) = appid_name(app_id) {
            out.push(
                JumpListAnomaly::AppIdIdentified {
                    app_id: app_id.clone(),
                    application,
                }
                .to_finding(src.clone()),
            );
        }
    }

    for entry in &jl.entries {
        // Reuse the per-link LNK audit — removable/network/tracker for free.
        for anomaly in audit(&entry.link) {
            out.push(anomaly.to_finding(src.clone()));
        }

        let Some(dl) = &entry.destlist else {
            continue;
        };

        if dl.pinned {
            out.push(
                JumpListAnomaly::PinnedTarget {
                    path: dl.path.clone(),
                }
                .to_finding(src.clone()),
            );
        }

        if let Some(host) = acquisition_host {
            if !dl.hostname.is_empty() && !dl.hostname.eq_ignore_ascii_case(host) {
                out.push(
                    JumpListAnomaly::CrossMachine {
                        hostname: dl.hostname.clone(),
                        acquisition_host: host.to_string(),
                    }
                    .to_finding(src.clone()),
                );
            }
        }

        // MRU recency: emit when the entry carries usage history.
        if dl.access_count.is_some() || dl.last_access > 0 {
            out.push(
                JumpListAnomaly::MruRecency {
                    path: dl.path.clone(),
                    access_count: dl.access_count,
                    last_access: dl.last_access,
                }
                .to_finding(src.clone()),
            );
        }
    }

    out
}

#[cfg(test)]
mod tests {
    include!("tests.rs");
}