From Forensics Wiki
Revision as of 10:11, 13 August 2010 by Joachim Metz
Microsoft Windows Shortcut Files
- Three date/time stamps which are a snapshot of the target date/time stamps before it was last opened;
- The size of the target when it was last accessed;
- Serial number of the volume where the target was stored;
- Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
- Network volume share name;
- Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
- MAC address of the host computer (sometimes).
- The Meaning of Linkfiles In Forensic Examinations
- Free tool that is capable of reading and reporting on Windows shortcut files
- Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
- Details of the Windows shortcut file format
- Windows Shortcut File (LNK) format