Difference between revisions of "LNK"

From Forensics Wiki
Jump to: navigation, search
m (correct link)
m
Line 7: Line 7:
 
== Metadata ==
 
== Metadata ==
  
* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file.  (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
+
* Three date/time stamps which are a snapshot of the target date/time stamps before it was last opened;
* The size of the target when it was last accessed.
+
* The size of the target when it was last accessed;
* Serial number of the volume where the target was stored.
+
* Serial number of the volume where the target was stored;
 
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
* Network volume share name
+
* Network volume share name;
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
* TODO
+
* MAC address of the host computer (sometimes).
  
 
== External Links ==
 
== External Links ==
  
 +
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
 
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
 
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]

Revision as of 11:43, 20 May 2009

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • Three date/time stamps which are a snapshot of the target date/time stamps before it was last opened;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes).

External Links