LNK Files

Shows information about Target file

PreviousSRUM NextJumpLists

Last updated 2 months ago

File Location:

C:\Users\USERNAME\Appdata\Romaing\Microsoft\Windows\Recent

Parse Data

#Parsing on Linux
exiftool TEST.lnk

File Timestamps are for the LNK file (Top 3).
Date timestamps are for the source file (Bottom 3).
Target File Size - Source file size
Volumne Label - Drive label
Machine ID - Machine name
Mac Address could be possible

#LECmd output
LECmd.exe -d F:\Tools\Investigation\Logs\logs2 --csv F:\Tools\Investigation\Logs\logs2\output.csv

Shows all the same information as Exiftool, but inludes more.

Considerations

Shortcuts for folders will not show the size of the objects in the folder.

LNK entries are created for non-executables in recents folder.
Windows GUI only displays up to 260 characters when viewing properties of LNK file. Can be used to hide malicious command lines from GUI inspection.
Creating a file will create an LNK entry in recents for Windows 10+

Modifying the source file will modify the M timestamp for the LNK file.

Opening the source file will also update M timestamp in the LNK file.

Anti-Forensics

Delete Recents directory.
LNK files will still persist after source file is deleted.