LNK Files - Foren-Ken/tech-journal GitHub Wiki

What Are LNK Files?

These files, often seen as shortcut files, allow a user on a Windows device to have multiple links leading to a single file. Imagine them like URLs leading to the same resource, no matter where or what time, as long as a person has access to the file the LNK file will work. This allows a file located within the %HOMEPATH%/Documents directory to be accessible within the %HOMEPATH/Desktop without having two copies of the same file.

What is the Forensic Value?

LNK Files offer forensic researchers a great deal of valuable information:

  1. MAC Timestamps for LNK File.
  2. MAC Timestamps for Target File (The file which the LNK File points to).
  3. Location of the Target File.
  4. Name of Target File
  5. MFT Entry Number (Allows for Discovery of Item on Disk in case of Deletion)
  6. Machine ID (The Hostname of the Windows Machine)
  7. MAC Address of Machine
  8. Serial Number of Storage Device
  9. Type of Storage Device
  10. Drive Letter of Volume.
  11. Digital Record Object Identification (DROID) Information.
Droid Type Forensic Value
Volume Droid The DROID value of the volume which the Target file currently exists within. All files within the same volume have the same volume droid value.
Volume Droid Birth The DROID value of the volume which the Target file was created within.
File Droid The DROID value given to the Target file to differentiate files. All File Droid values within a volume are similar, but minor differences are used to differentiate them from one-another.
File Droid Birth The DROID value given to the Target file upon creation to differentiate it from others. This value should not change when the target file is moved to another volume.

LECmd

(Link Explorer)
Guide to other Erik Zimmerman Tools

This command uses the "LECmd.exe" to parse .LNK files. The common location of LNK files is C:\Users\[User Name]\AppData\Roaming\Microsoft\Windwos\Recent\[location of lnk file].

Examples: LECmd.exe -f "C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\blast.exe.txt.lnk" - Will provide the information within the blast.exe.txt.lnk file.