From ForensicsWiki
Revision as of 18:59, 11 July 2011 by Joachim Metz (Talk | contribs) (Examples)

Jump to: navigation, search
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL

The liblnk package contains a library and applications to read the Windows Explorer Shortcut (LNK) format.


Liblnk was created by Joachim Metz in 2009, while working for Hoffmann Investigations.


The liblnk package contains the following tools:

  • lnkinfo, which shows information about LNK files.


Requesting the information in a LNK file:

lnkinfo Calculator.lnk
lnkinfo 20110711

Windows Shortcut information:
        Contains a link target identifier
        Contains a description string
        Contains a working directory string
        Contains an environment variables block

Link information:
        Creation time                   : Aug 10, 2004 16:54:24.000000 UTC
        Modification time               : Aug 04, 2004 14:00:00.000000 UTC
        Access time                     : Jun 26, 2006 10:36:41.703125 UTC
        Local path                      : C:\WINDOWS\system32\calc.exe
        Description                     : @%SystemRoot%\system32\shell32.dll,-22531
        Working directory               : C:\WINDOWS\system32
        Environment variables location  : %SystemRoot%\system32\calc.exe

Distributed link tracking data:
        Machine identifier              : hostname
        Droid volume identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Droid file identifier           : 00000000-1111-2222-3333-444444444444
        Birth droid volume identifier   : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
        Birth droid file identifier     : 00000000-1111-2222-3333-444444444444

External Links