Difference between revisions of "LNK"

From Forensics Wiki
Jump to: navigation, search
m
(External Links)
Line 21: Line 21:
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 +
* [https://downloads.sourceforge.net/project/liblnk/Documentation/LNK%20file%20format/Windows%20Shortcut%20File%20%28LNK%29%20format.pdf|Windows Shortcut File (LNK) format ]
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 11:07, 13 August 2010

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • Three date/time stamps which are a snapshot of the target date/time stamps before it was last opened;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes).

External Links