What forensic tools does this skill support?

This skill provides workflows for industry-standard tools like LECmd (Zimmerman Tools), JLECmd, LnkParse3, and custom Python-based analysis scripts.

Can it detect files opened from USB drives?

Yes, it extracts volume serial numbers and drive types, allowing investigators to correlate LNK files with specific removable media and external hardware.

Where are LNK files typically found during an investigation?

Primary sources include the Recent items folder, Desktop, Startup directories, and Jump List databases (Automatic and Custom Destinations).

How does this aid in timeline reconstruction?

By extracting target creation, modification, and access times, it allows analysts to map exactly when a user interacted with specific files relative to other system events.

Windows LNK Forensic Artifact Analysis

Name: Windows LNK Forensic Artifact Analysis
Author: mukul975

bymukul975

•

4,121

•

Security & Testing

Parses Windows shortcut files to reconstruct user activity, file access history, and forensic timelines.

This skill enables Claude to perform detailed digital forensic analysis of Windows LNK (.lnk) files and Jump Lists. It automates the extraction of critical metadata, including target paths, creation/modification timestamps, volume serial numbers, and machine identifiers. By parsing these artifacts, investigators can reconstruct file access history, identify data exfiltration via removable media, detect malware persistence in startup folders, and correlate user activity with network share access across a forensic timeline.

Key Features

01Parses forensic timestamps for accurate timeline reconstruction

024,121 GitHub stars

03Extracts target file paths and working directories from shortcut files

04Detects indicators of data exfiltration to USB devices or network shares

05Analyzes Jump Lists for recently and frequently accessed applications

06Identifies volume serial numbers and hardware identifiers like Machine IDs

Use Cases

01Detecting malware persistence mechanisms in Windows Startup folders

02Digital forensic investigations for reconstructing user file access history

03Tracking document access from external storage or unauthorized network drives

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-windows-lnk-files-for-artifacts

For use in Claude.ai and ChatGPT

Key Features

01Parses forensic timestamps for accurate timeline reconstruction

024,121 GitHub stars

03Extracts target file paths and working directories from shortcut files

04Detects indicators of data exfiltration to USB devices or network shares

05Analyzes Jump Lists for recently and frequently accessed applications

06Identifies volume serial numbers and hardware identifiers like Machine IDs

Use Cases

01Detecting malware persistence mechanisms in Windows Startup folders

02Digital forensic investigations for reconstructing user file access history

03Tracking document access from external storage or unauthorized network drives

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-windows-lnk-files-for-artifacts

For use in Claude.ai and ChatGPT