Link Files, also known as shortcut files, have the extension LNK and are most commonly found in the “recent” folder in the users profile. A user can double click on these and it will open document it points to.
Other LNK files can be found in the System Restore and office folders. Link files are very useful as they contain a wealth of data other files.
Every time a file is opened, be it a word document, a text file, or a picture, LNK file is created, with the name of the file and placed in the “Recent” folder of the users profile. This link file has 4 dates in the MFT (Created, Last Written/File Modified, Accessed, Entry Modified/MFT entry modified).
For example if the Word Document “Hello.DOC” was opened on 1st Jan 2008 then the hello.doc.lnk is created, as it has just been created its four dates would all be 1st Jan 2008.
While this information is not particular exciting, that data WITHIN the LNK file is.
Inside the LNK file are the following fields:
1. Creation date of the file it points to
2. Access date of the file it points to
3. Modified data of the file it points to
4. File path of the file it points to
5. Size of the file it points to.
There are also other fields, but these are not relevant at this point.
Therefore if the word document “Hello.DOC”, was created on 1 June 2007, modified on 1st Oct 2007, and then accessed 1st Jan 2008 – all of that information would be stored within the LNK, as would its location.
Even if a file has never been on the computer where the link file was, e.g a file on a server, or a removable media, then the LNK file will still retain this information.
This allows a forensics investigator to gain information about files that were never on the computer they are examining