Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(Metadata)
(Metadata)
Line 26: Line 26:
  
 
<pre>
 
<pre>
Distributed link tracker machine identifier string          : mysystem
+
Distributed link tracker information:
Distributed link tracker droid volume identifier            : 11111111-2222-3333-4444-555555555555
+
Machine identifier string          : mysystem
Distributed link tracker droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
Distributed link tracker birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Distributed link tracker birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
 +
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 
</pre>
 
</pre>
  

Revision as of 12:34, 13 August 2010

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • MAC date and timestamps of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links