LNK Files

Shows information about Target file

File Location:

  • C:\Users\USERNAME\Appdata\Romaing\Microsoft\Windows\Recent

Parse Data

#Parsing on Linux
exiftool TEST.lnk

  • File Timestamps are for the LNK file (Top 3).

  • Date timestamps are for the source file (Bottom 3).

  • Target File Size - Source file size

  • Volumne Label - Drive label

  • Machine ID - Machine name

  • Mac Address could be possible

#LECmd output
LECmd.exe -d F:\Tools\Investigation\Logs\logs2 --csv F:\Tools\Investigation\Logs\logs2\output.csv

  • Shows all the same information as Exiftool, but inludes more.

Considerations

  • LNK entries are created for non-executables in recents folder.

  • Windows GUI only displays up to 260 characters when viewing properties of LNK file. Can be used to hide malicious command lines from GUI inspection.

  • Creating a file will create an LNK entry in recents for Windows 10+

  • Modifying the source file will modify the M timestamp for the LNK file.

  • Opening the source file will also update M timestamp in the LNK file.

Anti-Forensics

  • Delete Recents directory.

  • LNK files will still persist after source file is deleted.

PreviousSRUMNextJumpLists

Last updated