Additionally, inside the LNK file are timestamps related to the creation and modification dates of the original VMX file. The ‘date-created’ MAC time for the LNK file will tell the investigator when the file was first opened, and the ‘date-modified’ time will identify when the file was last opened by the user. IEF takes this data and cleans it up for the investigator, providing a wealth of information about “Win7 SIFT ” including the linked path, computer and volume information where it was first run from (including the MAC address of the computer), and most importantly, timestamps around the LNK file and the original VMX file. Making LNK File Analysis Easier with Internet Evidence Finder (IEF) Below is the raw output of the LNK file and while we can see quite a bit of valuable data as mentioned above, it does require some interpretation:
I have a Windows 7 virtual machine that Windows has automatically created a LNK file named “Win7 SIFT ”.
This will include volume name, serial number, NetBIOS name, and MAC address of the host where the linked file is stored Information about the volume and system where the LNK file is stored.MAC times of the original file not only will a LNK file contain timestamps for the LNK file itself, it will also contain MAC times for the linked file within its metadata as well.LNK files typically contain the following items of evidentiary value: The Key Artifacts That Need to be Found When Investigating LNK Files The files might have been wiped or deleted, stored on a USB or network share, so although the file might no longer be there, the LNK files associated with the original file will still exist (and reveal valuable information as to what was executed on the system). LNK files are excellent artifacts for forensic investigators who are trying to find files that may no longer exist on the system they’re examining. Why are LNK Files Important to Your Digital Forensics Investigation? Windows-created LNK files are generated when a user opens a local or remote file or document, giving investigators valuable information on a suspect’s activity. LNK files can be created by the user, or automatically by the Windows operating system. They are shortcut files that link to an application or file commonly found on a user’s desktop, or throughout a system and end with an. LNK files are a relatively simple but valuable artifact for the forensics investigator.
This is the third blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.