Microsoft Windows Shortcut Files
The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format does not specify a specific signature, but the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
- MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information: Creation time : Jul 26, 2009 14:44:34 UTC Modification time : Jul 26, 2009 14:44:34 UTC Access time : Aug 12, 2010 06:41:50 UTC Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
- The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
- The size of the target when it was last accessed;
- Serial number of the volume where the target was stored;
- Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
- Network volume share name;
- Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
- MAC address of the host computer (sometimes);
- Distributed link tracking information, e.g.
Distributed link tracker information: Machine identifier string : mysystem Droid volume identifier : 11111111-2222-3333-4444-555555555555 Droid file identifier : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee Birth droid volume identifier : 11111111-2222-3333-4444-555555555555 Birth droid file identifier : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
- The Meaning of Linkfiles In Forensic Examinations
- Free tool that is capable of reading and reporting on Windows shortcut files
- Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
- Details of the Windows shortcut file format
- Windows Shortcut File (LNK) format
- Evidentiary Value of Link Files