LNK Files - nurit-cyber/OperatingSystemForensics GitHub Wiki

LNK Files / Link Files / Shortcuts

These files have .lnk, and it is a file that is pointing to a another file / container that is pointing to another object and contains a lot of metadata of what object it is pointing to.

Text and HTML files are the only files that do not have structure. They are just plain text. Binary files have structure defined by owner or developer.

If a shortcut is found on a system, this proves that the file has been opened.

Link locations are stored in many places, but the most common ones can be viewed below:

[insert image]

C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent
C:\ProgramData\Microsoft

Windows 7, they can be turned off in Taskbar

Investigating File Shortcuts

File sig: 4C 00 00 00
Volume SN: built in the device by the manufacturer and cannot change Volume ID: entered once the drive is formatted and changes every time the drive has been formatted

LNK file provides information about full path location of target file, the name, the size, the timestamps (created, accessed, modified), and the file attributes (read-only, SYS, hidden). The LNK file provides information on media like the storage media type, volume serial number, machine MAC, and birth & current volumeid, and finally the computer's (NETBIOS) name.

Normally the shortcuts and the data will not clear or delete the files, even if the file is deleted. This is good if an individual claims that they did not have the file or say that the file was never executed. It can also record the volume (the volumeid and the MAC) that opened and executed the file.

The LNK file records if the file has been moved between multiple devices by comparing the MAC addresses of where the file was executed on.

Forensic Significance

- target path, size, timestamps
- MAC address & Computer Name
- Birth VolumeID
- Volume SN, Drive Type, current VolumeID

Forensics w/ LNK files

- shortcut will not get updated unless it is used