Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(Metadata)
m (correct link)
Line 17: Line 17:
 
== External Links ==
 
== External Links ==
  
* [http://mitec.cz/wfa.htm Free tool that is capable of reading and reporting on Windows shortcut files]
+
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 10:55, 8 December 2008

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
  • The size of the target when it was last accessed.
  • Serial number of the volume where the target was stored.
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
  • TODO

External Links