Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(External Links)
(Metadata)
Line 7: Line 7:
 
== Metadata ==
 
== Metadata ==
  
* Three date/time stamps which are a snapshot of the target date/time stamps before it was last opened;
+
* MAC date and timestamps which are a snapshot of the target date and timestamps before it was last opened;
 +
* The Shell Item list of the target;
 
* The size of the target when it was last accessed;
 
* The size of the target when it was last accessed;
 
* Serial number of the volume where the target was stored;
 
* Serial number of the volume where the target was stored;

Revision as of 11:22, 13 August 2010

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • MAC date and timestamps which are a snapshot of the target date and timestamps before it was last opened;
  • The Shell Item list of the target;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes).

External Links