Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(Metadata)
(Metadata)
Line 7: Line 7:
 
== Metadata ==
 
== Metadata ==
  
* MAC date and timestamps which are a snapshot of the target date and timestamps before it was last opened;
+
* MAC date and timestamps of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
* The Shell Item list of the target;
+
<pre>
 +
Linked file information:
 +
Creation time : Jul 26, 2009 14:44:34 UTC
 +
Modification time : Jul 26, 2009 14:44:34 UTC
 +
Access time : Aug 12, 2010 06:41:50 UTC
 +
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
 +
</pre>
 +
 
 +
* The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
 
* The size of the target when it was last accessed;
 
* The size of the target when it was last accessed;
 
* Serial number of the volume where the target was stored;
 
* Serial number of the volume where the target was stored;
Line 14: Line 22:
 
* Network volume share name;
 
* Network volume share name;
 
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
 
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
* MAC address of the host computer (sometimes).
+
* MAC address of the host computer (sometimes);
 +
* Distributed link tracking information, e.g.
 +
 
 +
<pre>
 +
Distributed link tracker machine identifier string          : mysystem
 +
Distributed link tracker droid volume identifier            : 11111111-2222-3333-4444-555555555555
 +
Distributed link tracker droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
Distributed link tracker birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
 +
Distributed link tracker birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
</pre>
  
 
== External Links ==
 
== External Links ==

Revision as of 12:31, 13 August 2010

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • MAC date and timestamps of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker machine identifier string           : mysystem
Distributed link tracker droid volume identifier             : 11111111-2222-3333-4444-555555555555
Distributed link tracker droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Distributed link tracker birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
Distributed link tracker birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links