LNK Files (Windows Shortcut Files)

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and C:\Users\<username>\Desktop\

Description

Windows shortcut files (.lnk) created automatically when a user opens a file or manually for desktop shortcuts. Each LNK file contains rich metadata including target path, MAC timestamps, volume serial number, volume name, machine MAC address, and network share path.

Forensic Value

LNK files persist as evidence of file access even after the target file is deleted. The embedded metadata provides the original file path, all three timestamps of the target at the time the LNK was created, and the volume serial number and MAC address of the machine where the target resided. For files accessed over network shares, the LNK preserves the full UNC path. LNK creation timestamps in the Recent folder establish when a user first opened a specific file.

Tools Required

KAPELECmd (Eric Zimmerman)LNK ParserAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical