Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked.
What are Link files?
Link files are created by the system when a file is opened, even if that file is opened and edited on removable media and never copied to the system, a link file will be created. Link files contain a whole host of useful information including the original location of a file, the volume information from the location the file was opened from, MAC times of the file and the drive letter associated with that file.
They are stored under the Recent Documents folder and Office Recent folder. Located:
- Win XP
- c:\documents and settings\<user>\Recent\
- Windows 7/8
How to Extract Data
When you browse to the link file location with Explorer you will see the following screen
Each item in this directory is a link file, a short cut to the original. If you were to double click one of these files you would be taken to the location of the original file it links to.
The top most entry (highlighted) shows creation date to the left and modification date to the right. this is the first and last opened time of the file or folder respectively.
When we view the link file through exiftool we get the following output:
The relative path is set with ..\..\..\ because the exiftool program was executed from the Desktop. We have the path as a folder on the desktop and the drive as C:\. We can also see that it is a directory all 4 relevant timestamps (remember access timestamps are no longer reliable) are in agreement, which is always nice.
For the sake of completeness I have also included a link file which points to a removable device:
Notice the difference in the timestamps, this is a legitimate file with no manipulation of the timestamps. The “File” timestamps show when the link file was created on the machine, but the second set of timestamps show from the original .zip file. This file has been on a backup drive of mine for some time (it’s a useful program), hence the dates. It is interesting how the Access date is later than the modify date, especially as it was downloaded on a Windows 7 machine. The drive it sits on was formatted by a Windows XP machine however.
If anyone would like to explain the details of the timestamps please leave a comment, I will make sure you get full credit 🙂
But I want to check all of the Link files at the same time! This will take ages!!
Stop whining! There is a command line tool called LP.exe which can output the data to a CSV file. And I was just kidding about the whining, it was a valid point.