Shortcut files / LNK

Overview

Shortcut files (*.lnk) are Windows Shell Items that reference to an original file, folder, or application. The effect of double-clicking a shortcut file is intended to be the same as double-clicking the application or file to which it refers. In addition, command line parameters and the folder in which the target should be opened can be specified in the shortcut. The shortcut files have a magic number of 0x4C (4C 00 00 00).

While shortcut files can be created manually, the Windows operating system also creates shortcut files under numerous user activities, such as opening of a non-executable file. For instance, a shortcut file is created under [...]\AppData\Roaming\Microsoft\Windows\Recent\ whenever a file is opened from the Windows Explorer. Shortcut files created in such circumstances are referenced in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry keys.

These automatically created and updated shortcut files are not deleted upon deletion of their associated files.

The shortcut files format is also used for entries within the AutomaticDestinations and CustomDestinations JumpLists files (introduced in Windows 7).

Information of interest

The creation and modification timestamps of the shortcut file itself will usually respectively indicate when the target file was first and last opened for automatically created shortcut files.

Each shortcut file additionally yields the following information:

• The target file’s absolute path, size and attributes (hidden, read-only, etc.). The size and attributes are updated upon every access to the target file (that induce an update to the shortcut file).

• The target file and the shortcut file (source) itself Modified, Access, and Created (MAC) timestamps at the time of the last access to the target file.

• Whether the target file was stored locally or on a remote network share through the specification of a LocalPath or NetworkPath.

• Occasionally information on the volume that stored the target file: drive type (fixed vs removable storage media), serial number, and label / name if any.

• Occasionally information on the host on which the shortcut file is present: system’s NetBIOS hostname and MAC address.

Startup Folders

Shortcut files can also be automatically executed upon an interactive user logon, by being placed under the Startup folders. An user interactive logon is required for the entries to be executed, a system boot or a network logon will not trigger execution of the Startup folders entries.

There is a system-wide Startup folder (under %ALLUSERSPROFILE%) and user-scoped Startup folders (under each user %APPDATA% folder). While administrative privileges are required to create an entry in the system-wide startup folder, regular user can add entries in their own startup folder.

Tool(s)

Eric Zimmerman’s LECmd tool (KAPE’s LECmd module) can be used to process shortcut files.

# Parses the specified shortcut file.
LECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -f <LNK_FILE>

# Recursively retrieves and parses the shortcut files in the specified directory.
LECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -d <C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\ | C:\ | DIRECTORY>

References

• Windows 10 Jump List and Link File Artifacts - Saved, Copied and Moved

• Magnet Forensics - Jamie McQuaid - Forensic Analysis of LNK files

• 13Cubed - LNK Files and Jump Lists

• forensicswiki.xyz - LNK - DOWN