Where are Link Files stored?

January 1, 2009 — 585

Link files, within a Windows Operating system can, in theory stored anywhere, depending on the users choices.

However the default locations for Link Files are:

C:\Documents and Settings\[username]\recent

C\Documents and Settings\username]\Application Data\Microsoft\Office\Recent

Link files are also backed up in the System Restore folders, which is an excellent source of information.

C\System Volume Information\_restore{XXXXXXXXXXXXXXX\snapshot

However, these dates should be treated with caution, due to the nature of the lnk files. Not only are the names of the files changes during the back up, but research suggests that so are some dates (don’t take this information to court, but test for yourself).

Link files can also be found in other folders, e.g program files, the desktop, and the starup folder. The best way to locate all of them is to apply a filter with EnCase, FTK, or your preferred forensics tool

Posted in 0 - Forensics, File Systems. Tags: , , , , . Leave a Comment »

Link Files

December 23, 2008 — 585

Link Files, also known as shortcut files, have the extension LNK and are most commonly found in the “recent” folder in the users profile. A user can double click on these and it will open document it points to.

Other LNK files can be found in the System Restore and office folders. Link files are very useful as they contain a wealth of data other files.

Every time a file is opened, be it a word document, a text file, or a picture, LNK file is created, with the name of the file and placed in the “Recent” folder of the users profile. This link file has 4 dates in the MFT (Created, Last Written/File Modified, Accessed, Entry Modified/MFT entry modified).

For example if the Word Document “Hello.DOC” was opened on 1st Jan 2008 then the hello.doc.lnk is created, as it has just been created its four dates would all be 1st Jan 2008.

While this information is not particular exciting, that data WITHIN the LNK file is.

Inside the LNK file are the following fields:

1. Creation date of the file it points to
2. Access date of the file it points to
3. Modified data of the file it points to
4. File path of the file it points to
5. Size of the file it points to.

There are also other fields, but these are not relevant at this point.

Therefore if the word document “Hello.DOC”, was created on 1 June 2007, modified on 1st Oct 2007, and then accessed 1st Jan 2008 – all of that information would be stored within the LNK, as would its location.

Even if a file has never been on the computer where the link file was, e.g a file on a server, or a removable media, then the LNK file will still retain this information.

This allows a forensics investigator to gain information about files that were never on the computer they are examining

Posted in 0 - Forensics, Guides. Tags: , , , . Leave a Comment »