LNK

From ForensicsWiki
Revision as of 11:31, 13 August 2010 by Joachim Metz (Talk | contribs)

Jump to: navigation, search

Microsoft Windows Shortcut Files

File Format

  • TODO

Metadata

  • MAC date and timestamps of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information:
	Creation time		: Jul 26, 2009 14:44:34 UTC
	Modification time	: Jul 26, 2009 14:44:34 UTC
	Access time		: Aug 12, 2010 06:41:50 UTC
	Local path		: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
  • The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
  • The size of the target when it was last accessed;
  • Serial number of the volume where the target was stored;
    • Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
  • Network volume share name;
  • Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
  • MAC address of the host computer (sometimes);
  • Distributed link tracking information, e.g.
Distributed link tracker machine identifier string           : mysystem
Distributed link tracker droid volume identifier             : 11111111-2222-3333-4444-555555555555
Distributed link tracker droid file identifier               : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Distributed link tracker birth droid volume identifier       : 11111111-2222-3333-4444-555555555555
Distributed link tracker birth droid file identifier         : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

External Links