Difference between revisions of "LNK"

From Forensics Wiki
Jump to: navigation, search
(Metadata)
Line 9: Line 9:
 
* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file.  (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
 
* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file.  (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
 
* The size of the target when it was last accessed.
 
* The size of the target when it was last accessed.
* Serial number of the local volume where the target was stored.
+
* Serial number of the volume where the target was stored.
 +
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 
* Network volume share name
 
* Network volume share name
 
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
 
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.

Revision as of 09:24, 31 August 2007

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
  • The size of the target when it was last accessed.
  • Serial number of the volume where the target was stored.
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
  • TODO

External Links