Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(File Format)
(External Links)
Line 44: Line 44:
 
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
 
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
 
* [https://downloads.sourceforge.net/project/liblnk/Documentation/LNK%20file%20format/Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format ]
 
* [https://downloads.sourceforge.net/project/liblnk/Documentation/LNK%20file%20format/Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format ]
 +
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files]
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 10:17, 6 September 2010

Microsoft Windows Shortcut Files

File Format

The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format does not specify a specific signature, but the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Metadata

  • MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links