ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(Metadata)
(Metadata)
Line 26: Line 26:
  
 
<pre>
 
<pre>
Distributed link tracker machine identifier string          : mysystem
+
Distributed link tracker information:
Distributed link tracker droid volume identifier            : 11111111-2222-3333-4444-555555555555
+
Machine identifier string          : mysystem
Distributed link tracker droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
Distributed link tracker birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Distributed link tracker birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
 +
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 
</pre>
 
</pre>
  

Revision as of 16:34, 13 August 2010

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • MAC date and timestamps of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links