Windows LNK File Analysis in Forensic System Reviews
The concept of Recent Files is used to describe the most recently accessed files by the user, and in a forensics review, determining which applications were viewed by the user most recently and which documents were viewed could be of critical importance in the event resolution. In a Windows operating system, a shortcut file for files opened by the user is created under the Recent directory in the profile directory associated with that user’s account. These files can be analyzed to determine which files the user last accessed. In particular, even if files that are deleted or wiped by the user cannot be accessed, the shortcut files associated with them can be accessed and retrieved information about them.
Where LNK extension link files are stored varies depending on the operating system. These files :
Windows XP :
- \Documents and Settings\UserName\Recent
- \Documents and Settings\UserName\Application Data\Microsoft\Office\Recent
Windows Vista and Windows 7 :
- \Users\UserName\AppData\Roaming\Microsoft\Windows\Recent
- \Users\UserName\AppData\Roaming\Microsoft\Office\Recent
directories. The variable expressed by UserName is the variable that represents the user name of the user concerned. For example, for the user named IsmailTasdelen, the exact expression of these directories would be \Users\IsmailTasdelen\AppData\Roaming\Microsof \Windows\Recent. The creation times of these files indicate when the user has accessed the document once, and the last update time indicates when the document was last accessed. As an example, the following screenshot shows some of the contents of the Recent directory from a Windows 7 system. Here you can find out when the first and last files were accessed by looking at the time information in the Date created and Date modified fields.
Which Data is Stored in the LNK File?
The following information is obtained when an LNK file is analyzed;
- The full path to the target file or directory that the LNK file points to
Create, Modify, and Access time information for the target file or directory
Size of destination file or directory - NETBIOS name and MAC address of the target system
- The serial number of the volume where the target file or directory is stored
- Network share name if the target file and directory are accessed over the network
- Properties of the target file or directory (for example, ‘read only’, ‘hidden’, ‘system‘)
Windows LNK Parsing Utility (lp)
One of the applications that can be used to analyze LNK files in Windows systems is LNK Parsing Utility, which can be downloaded from http://tzworks.net/prototype_page.php?proto_id=11 and can be downloaded and used free of charge. Below you can find examples of this application.
lp <filename> [-csv]
dir C: \ Users \ *. lnk / b / s | lp [-csv] -> Used if all lnk files under a directory are to be parsed.
dir “C: \ Documents and Settings \ *. lnk” / b / s | lp [-csv]
-csv = Allows comma-separated values to be output.
Lifer- Windows Link File Examiner
Lifer is open source software that can be used in a Linux environment and can parse Windows LNK files and download them from http://code.google.com/p/lifer/downloads/list. After downloading the source code, follow the steps below to compile and install.
- make
- sudo make install
- make clean
The exemplary usage forms of this application are as follows;
- lifer -h -> Extract help options.
- lifer linkfile.lnk -> parses linkfile.lnk link file and prints the result
- lifer -s linkfile.lnk -> Similar to the above command, it only provides information in short format.
- lifer -o tsv ./Links/> links.tsv Processes all lnk files in the directory and generates output in tsv format.
Windows File Analyzer
Windows File Analyzer is another application that can be used to analyze LNK extension shortcut files with the help of graphical interface and can be downloaded from http://www.mitec.cz/wfa.html.
