What?
.LNK is the extension used by Shortcut Files in Windows. We normally place a ton of shortcuts on our desktop and sometimes in other folders as well. These shortcuts (LNK) files are binary files that contain information needed by windows to access the target file or folder.
Available to download directly from the Mac App Store, the Kdan PDF Reader is one of the most powerful and popular PDF management tools for Apple computers. It functions as a file manager, file. MAC times of the original file; not only will a LNK file contain timestamps for the LNK file itself, it will also contain MAC times for the linked file within its metadata as well Information about the volume and system where the LNK file is stored. 4 December 2020. This table of file signatures (aka 'magic numbers') is a continuing work-in-progress. I had found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002.
- Here are 3 options to choose your best DjVu reader for mac. #1 Cisdem Document Reader. open and view DjVu, OXPS, XPS, Visio, Winmail, WPD, WPS. Convert Djvu to PDF and images. export files as text or rtfd. read several files at the same time.
- If I right-click a.doc file in a folder and select Copy and then right-click the Desktop and selectPaste Shortcut, Windows creates a.lnk file that points to the.doc file. If, however, I right-click a.url file in Favorites and select Copy and then right-click the Desktop and selectPaste Shortcut, Windows simply duplicates the.url.
A lnk file contains information like:
- Local Base Path to the Target file
- This is the folder/file which the LNK file is pointing to
- MAC Times for the LNK file
- The timestamps when the LNK file was created, modified and last accessed
- File size of the LNK File
- Keyboard shortcut for the LNK file
- The LNK file can be associated with a keyboard shortcut. When the specific keys are pressed, the LNK file can be run
- Argument list for the LNK file
- Windows can pass certain command line arguments to the target file via the LNK file
Why?
Even though the destination application may have been deleted/moved, their shortcuts can still remain. This can help forensic investigators understand what was executed/accessed on the system.
How?
Powerforensics is a PowerShell framework created for Hard Drive Forensic analysis by Jared Atkinson
In order to use it, we need to install the PowerForensics module and import it.
Get-ForensicShellLink-VolumeName.H:|Export-Exceldemo.csv-AutoSize-FreezeTopRow |
Above command will create an excel file named demo.csv whose column will be auto-sized and a frozen top row
Analysing the above we can conclude:
- FileSize for LNK to folders will always be
0
[My Pictures Lorpix] - Working directory points to
Z:Lorpix
. Lorpix could be a folder on a shared network folder mapped as Z:. We can investigate the Hive files to find the network path - CommonPathSuffix gives us more information about the target file locations
Path Based
Here, Remnux is a shortcut on my desktop to a virtual machine in virtualbox. We can analyze it by using:
How To Open Lnk File
We can see that:
--startvm
takes the guid of the virtualbox vm to start--comment
is a description
We can pipe the output to Get-ForensicFileRecord to get more details about the LNK file and its target file