ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Microsoft Windows Shortcut Files
The Windows Shortcut file has the extension .lnk. It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell. The file format does not specify a specific signature, but the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
- MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
Linked file information: Creation time : Jul 26, 2009 14:44:34 UTC Modification time : Jul 26, 2009 14:44:34 UTC Access time : Aug 12, 2010 06:41:50 UTC Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
- The Shell Item list of the target. This information is similar to that in the ShellBags in the Windows Registry;
- The size of the target when it was last accessed;
- Serial number of the volume where the target was stored;
- Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
- Network volume share name;
- Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
- MAC address of the host computer (sometimes);
- Distributed link tracking information, e.g.
Distributed link tracker information: Machine identifier string : mysystem Droid volume identifier : 11111111-2222-3333-4444-555555555555 Droid file identifier : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee Birth droid volume identifier : 11111111-2222-3333-4444-555555555555 Birth droid file identifier : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
- The Meaning of Linkfiles In Forensic Examinations
- Free tool that is capable of reading and reporting on Windows shortcut files
- Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files
- Windows LNK file parser Free tool that can be run on Windows, Linux or Mac OS-X
- Details of the Windows shortcut file format
- Windows Shortcut File (LNK) format
- Evidentiary Value of Link Files