Difference between revisions of "LNK"

From ForensicsWiki
Jump to: navigation, search
(Tools)
(36 intermediate revisions by 8 users not shown)
Line 1: Line 1:
MS Windows Shortcut Files
+
Microsoft Windows Shortcut Files
  
 +
== File Format ==
  
In addition the target file, Windows shortcut files contain several interesting pieces of information that include:
+
The Windows Shortcut file has the extension .lnk.
 +
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
 +
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
  
* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file.  (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)
+
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on Windows 7 and 8.
* The size of the target when it was last accessed.
+
* Serial number of the local volume where the target was stored.
+
* Network volume share name
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes.
+
  
 +
== Metadata ==
  
Specific details of .lnk shortcut files can be found here:
+
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
[http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Windows Shortcut File Format]
+
<pre>
 +
Linked file information:
 +
Creation time : Jul 26, 2009 14:44:34 UTC
 +
Modification time : Jul 26, 2009 14:44:34 UTC
 +
Access time : Aug 12, 2010 06:41:50 UTC
 +
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
 +
</pre>
 +
 
 +
* The [[Shell Item]] list of the target;
 +
* The size of the target when it was last accessed;
 +
* Serial number of the volume where the target was stored;
 +
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
 +
* Network volume share name;
 +
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
 +
* MAC address of the host computer (sometimes);
 +
* Distributed link tracking information, e.g.
 +
 
 +
<pre>
 +
Distributed link tracker information:
 +
Machine identifier string          : mysystem
 +
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
 +
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
 +
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
 +
</pre>
 +
 
 +
== External Links ==
 +
 
 +
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
 +
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
 +
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
 +
* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shortcut%20File%20%28LNK%29%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
 +
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files]
 +
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)]
 +
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)]
 +
 
 +
== Tools ==
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
 +
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
 +
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
 +
* [[liblnk]]
 +
* [http://code.google.com/p/lnk-parser/ lnk-parser]
 +
 
 +
[[Category:File Formats]]

Revision as of 08:47, 10 February 2013

Microsoft Windows Shortcut Files

File Format

The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

  • MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker information:
	Machine identifier string           : mysystem
	Droid volume identifier             : 11111111-2222-3333-4444-555555555555
	Droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
	Birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
	Birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links

Tools