Forensic Analysis of LNK files

This is the third blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations. 

What are LNK Files?

LNK files are a relatively simple but valuable artifact for the forensics investigator. They are shortcut files that link to an application or file commonly found on a user’s desktop, or throughout a system and end with an .LNK extension. LNK files can be created by the user, or automatically by the Windows operating system. Each has their own value and meaning. Windows-created LNK files are generated when a user opens a local or remote file or document, giving investigators valuable information on a suspect’s activity.

Why are LNK Files Important to Your Digital Forensics Investigation?

LNK files are excellent artifacts for forensic investigators who are trying to find files that may no longer exist on the system they’re examining. The files might have been wiped or deleted, stored on a USB or network share, so although the file might no longer be there, the LNK files associated with the original file will still exist (and reveal valuable information as to what was executed on the system).

The Key Artifacts That Need to be Found When Investigating LNK Files

LNK files typically contain the following items of evidentiary value:

1. The original path of the file
2. MAC times of the original file; not only will a LNK file contain timestamps for the LNK file itself, it will also contain MAC times for the linked file within its metadata as well
3. Information about the volume and system where the LNK file is stored. This will include volume name, serial number, NetBIOS name, and MAC address of the host where the linked file is stored
4. Network details if the file was stored on a network share or remote computer
5. File size of the linked file

Let’s take a look at an example:

I have a Windows 7 virtual machine that Windows has automatically created a LNK file named “Win7 SIFT Workstation.vmx.lnk”. Below is the raw output of the LNK file and while we can see quite a bit of valuable data as mentioned above, it does require some interpretation:

Making LNK File Analysis Easier with Internet Evidence Finder (IEF)

IEF takes this data and cleans it up for the investigator, providing a wealth of information about “Win7 SIFT Workstation.vmx.lnk” including the linked path, computer and volume information where it was first run from (including the MAC address of the computer), and most importantly, timestamps around the LNK file and the original VMX file. The ‘date-created’ MAC time for the LNK file will tell the investigator when the file was first opened, and the ‘date-modified’ time will identify when the file was last opened by the user. Additionally, inside the LNK file are timestamps related to the creation and modification dates of the original VMX file.

We can see below that IEF has taken the raw data above, sorted and organized it for the investigator in a far easier format:

1. Path of the VMX file being linked to
2. MAC times for the LNK file
3. MAC times for the linked VMX file
4. Volume name and serial number
5. NetBIOS name and MAC address of source computer
6. File size of the linked VMX file

By adding LNK artifacts to IEF, our aim is to simplify the recovery of this well-known artifact, and improve the efficiency of your investigations by letting you find more types of evidence with one search and tool.

As always, feel free to get in touch with me by emailing jamie.mcquaid@magnetforensics.com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics