Windows LNK File Analysis in Forensic System Reviews
The
concept of Recent Files is used to describe the most recently accessed
files by the user, and in a forensics review, determining which
applications were viewed by the user most recently and which documents
were viewed could be of critical importance in the event resolution. In a
Windows operating system, a shortcut file for files opened by the user
is created under the Recent directory in the profile directory
associated with that user’s account. These files can be analyzed to
determine which files the user last accessed. In particular, even if
files that are deleted or wiped by the user cannot be accessed, the
shortcut files associated with them can be accessed and retrieved
information about them.
Where LNK extension link files are stored varies depending on the operating system. These files :
Windows XP :
- \Documents and Settings\UserName\Recent
- \Documents and Settings\UserName\Application Data\Microsoft\Office\Recent
Windows Vista and Windows 7 :
- \Users\UserName\AppData\Roaming\Microsoft\Windows\Recent
- \Users\UserName\AppData\Roaming\Microsoft\Office\Recent
directories.
The variable expressed by UserName is the variable that represents the
user name of the user concerned. For example, for the user named
IsmailTasdelen, the exact expression of these directories would be
\Users\IsmailTasdelen\AppData\Roaming\Microsof \Windows\Recent. The
creation times of these files indicate when the user has accessed the
document once, and the last update time indicates when the document was
last accessed. As an example, the following screenshot shows some of the
contents of the Recent directory from a Windows 7 system. Here you can
find out when the first and last files were accessed by looking at the
time information in the Date created and Date modified fields.
Which Data is Stored in the LNK File?
The following information is obtained when an LNK file is analyzed;
- The full path to the target file or directory that the LNK file points to
Create, Modify, and Access time information for the target file or directory
Size of destination file or directory - NETBIOS name and MAC address of the target system
- The serial number of the volume where the target file or directory is stored
- Network share name if the target file and directory are accessed over the network
- Properties of the target file or directory (for example, ‘read only’, ‘hidden’, ‘system‘)
Windows LNK Parsing Utility (lp)
One
of the applications that can be used to analyze LNK files in Windows
systems is LNK Parsing Utility, which can be downloaded from http://tzworks.net/prototype_page.php?proto_id=11 and can be downloaded and used free of charge. Below you can find examples of this application.
lp <filename> [-csv]
dir C: \ Users \ *. lnk / b / s | lp [-csv] -> Used if all lnk files under a directory are to be parsed.
dir “C: \ Documents and Settings \ *. lnk” / b / s | lp [-csv]
-csv = Allows comma-separated values to be output.
Lifer- Windows Link File Examiner
Lifer is open source software that can be used in a Linux environment and can parse Windows LNK files and download them from http://code.google.com/p/lifer/downloads/list. After downloading the source code, follow the steps below to compile and install.
- make
- sudo make install
- make clean
The exemplary usage forms of this application are as follows;
- lifer -h -> Extract help options.
- lifer linkfile.lnk -> parses linkfile.lnk link file and prints the result
- lifer -s linkfile.lnk -> Similar to the above command, it only provides information in short format.
- lifer -o tsv ./Links/> links.tsv Processes all lnk files in the directory and generates output in tsv format.
Windows File Analyzer
Windows
File Analyzer is another application that can be used to analyze LNK
extension shortcut files with the help of graphical interface and can be
downloaded from http://www.mitec.cz/wfa.html.
