LNK Files (Windows Shortcut Files)

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and C:\Users\<username>\Desktop\

Description

Windows shortcut files (.lnk) created automatically when a user opens a file or manually for desktop shortcuts. Each LNK file contains rich metadata including target path, MAC timestamps, volume serial number, volume name, machine MAC address, and network share path.

Forensic Value

LNK files persist as evidence of file access even after the target file is deleted. The embedded metadata provides the original file path, all three timestamps of the target at the time the LNK was created, and the volume serial number and MAC address of the machine where the target resided. For files accessed over network shares, the LNK preserves the full UNC path. LNK creation timestamps in the Recent folder establish when a user first opened a specific file.

Tools Required

KAPELECmd (Eric Zimmerman)LNK ParserAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target LnkFiles

LECmd

LECmd.exe -d "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\output --csvf LNKFiles.csv

PowerShell

Copy-Item "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*.lnk" -Destination C:\output\LNK\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1204.002T1547.009T1566.001

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote