Software are normally installed in AppData or Program Files folder in Windows. The program icons that you find at Desktop and Start Menu are simply shortcuts that points to the real location of the software. The shortcuts for a file can be easily created from the right click context menu so that you can run the program from any location you prefer without touching or moving the real file. If you right click on the shortcut and select Properties from the menu, the shortcut Properties window will display where the actual file is located, the shortcut key to run the shortcut, run mode and comment. Actually a shortcut file (.lnk) contains much more information than what you’re seeing on the Properties window which can be a wealth of useful information for forensic investigators.
Using third party forensic tools such as lnkanalyser and Windows LNK Parsing Utility (lp), we are able to easily parse LNK files to extract obscure information.
Both lnkanalyser and Windows LNK Parsing Utility are command line tools that doesn’t have a graphical user interface. However is it pretty simple to use because all you need to do is specify the name of the shortcut file that you want to analyze.
For lnkanalyser, the command to analyze a lnk shortcut file is:
lnkanalyser.exe -i shortcut.lnk
The result below is the sample of what you will be getting from lnkanalyser for parsing a lnk file.
lnkanalyser v1.0.1
Lnk Metadata
—————
Path: X-Ray.lnk
Flags:
Attributes: Archive
Show Command: SW_SHOWNORMAL
Name:
Relative Path: .\X-Ray.exe
Working Path: C:\Users\Raymond\Desktop\X-Ray
Arguments:
Icon Location:Target Metadata
—————
Created Timestamp: 12/19/2011 5:55:42 AM
Accessed Timestamp: 12/19/2011 5:55:42 AM
Written Timestamp: 12/19/2011 6:00:59 AM
File Size: 409224
Icon Index: 0Volume Id
———
Drive Type: DRIVE_FIXED
Serial No: CA5DXXXX
Name:TrackerDataBlock
—————-
MachineId: computer
NewVolumeId: 2613E2AC5A85D74C8F5B47F401965222
NewObjectId: 0B24B6D2505FE111A0BD001C42000009
NewObjectId Timestamp: 2/25/2012 1:34:13 AM
NewObjectId Sequence Number: 8381
NewObjectId MAC Address: XX:XX:XX:XX:XX:XX
BirthVolumeId: 2613E2AC5A85D74C8F5B47F401965222
BirthObjectId: 0B24B6D2505FE111A0BD001C42000009
BirthObjectId Timestamp: 2/25/2012 1:34:13 AM
BirthObjectId Sequence Number: 8381
BirthObjectId MAC Address: XX:XX:XX:XX:XX:XXCommonNetworkRelativeLink
————————-
Device Name:
Net Name: \\COMPUTER\Users
Network Provider Type: WNNC_NET_LANMAN
As you can see from the result above, the shortcut contains information to the path to the target file/directory it references, create, modify and access date/time stamps of the target file/directory referred to by the lnk, the size of the target, serial number of the volume where the target was stored, network volume share name, target attributes, such as whether it was ‘read only’, ‘hidden’, ‘system’, etc, and MAC address of the host computer. The Windows LNK Parsing Utility (lp) also does the same except it supports batch processing using the asterisk (*.lnk) and also dumping the output to one line using comma delimited values (-csv).
Now you know that a simply shortcut can contain information that is traceable to you.
Download lnkanalyser
Download Windows LNK Parsing Utility
Parse and Analyze Windows LNK Shortcut Files is a post from: Raymond.CC Blog