LNK Shortcuts
Windows LNK shortcut files are binary link files that the shell creates automatically every time a user opens a file or document. They are arguably one of the most underestimated artifacts in digital forensics. A single LNK file tells investigators the full path of the accessed file, what drive it was on, the machine name it came from and precisely when it was last accessed — even after the target document has been permanently deleted.
Imagine you leave a sticky note on your desk every time you borrow a book from a shelf, writing down the book's title, exactly where you got it from and what time you grabbed it. Windows LNK files are those sticky notes. Every time you open a file, Windows automatically sticks a note in a hidden folder describing exactly what you just touched. If someone cleans up all the books, the notes are still there.
General
LNK files are structured binary documents defined by the Shell Link Binary File Format specification. Windows automatically creates them in %APPDATA%\Microsoft\Windows\Recent\ every time a user opens a file from Explorer or any Office application. The structure contains a header block with MAC-times and file size, a LinkTarget block embedding the full file path and a data block that can include network share names and remote machine hostnames. Critically, the timestamps embedded inside the LNK header reflect the target file's state at the time it was last accessed — not the LNK file's own filesystem timestamps. This distinction is what makes them forensically powerful.
Traces
Parsing LNK files with the appropriate tooling reveals a wealth of user and system context:
- Target File Path: The absolute local or UNC network path to the file the user opened.
- Target Timestamps: The Creation, Modification and Accessed times of the target file at the moment the shortcut was generated.
- Target File Size: The byte size of the referenced document at interaction time.
- Volume Serial Number: Unique identifier of the drive the target file resided on.
- Machine NetBIOS Name: The hostname of the machine where the file originated, invaluable for tracking lateral movement.
- and more.
Forensic Value
We analyze LNK files to prove file access, reconstruct timelines and track data movement:
- Proving File Access: Conclusively demonstrating a user opened a specific document even after the original file is gone. Link this with RecentDocs to verify the full scope of interaction.
- USB Drive Identification: Matching the volume serial number in the LNK to a specific removable drive found during a search.
- Application Context: Pivot to JumpLists for a deeper dive into application-specific pinned and recent items that may not appear in RecentDocs.
- Lateral Movement Detection: Identifying UNC paths pointing to remote machines a user accessed via network file shares.
For more Info check out these Articles: JumpLists, RecentDocs