SANS Digital Forensics and Incident Response Blog

It's the little things (Part One)

For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor "tidbits". These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a "scrubbed PC."

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

XP stores the .lnk files for the Word 2007 Document Brains.docx in:

%Drive%:\Documents and Settings\User ID\Recent

The above .lnk (..\Recent)is slightly larger

%Drive%:\Documents and Settings\User ID\Application Data\Microsoft\Office\Recent

Windows 7 stores these .lnk files in

%Drive%:\Users\sdd\AppData\Roaming\Microsoft\Windows\Recent

The above .lnk (..\Recent) is twice the size of the second.

%Drive%:\Users\sdd\AppData\Roaming\Microsoft\Office\Recent

.lnk File properties show only a tip of available information. Compare the same Word 2007 Brains.docx.lnk file for XP and Windows 7. I use XVI32 as my hex-editor for details about the type of storage, location, Volume Serial number and much more.

Review the XP Hex dump example below. Then, compare the two different hex dumps of Windows 7 .lnk files. (You may need to zoom to inspect the images.) I did not include all of the first .lnk file hex.

Windows XP Brains.docx.lnk viewWindows XP Brains.docx.lnk view (click to enlarge)Windows 7 lnk (upper view)Windows 7 lnk (upper view) (click to enlarge)Windows 7 (lower view)Windows 7 (lower view) (click to enlarge)

Thumbs or Thumbnails are also invaluable source of data. I will discuss them in my next posting. I will then tie the Thumbnails and Shortcuts together.

Source and Links

Windows Shortcut File format: http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf

XVI32 Hex Editor: http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) Silver and GCFA (#18) gold certifications.

9 Comments

Posted February 1, 2010 at 5:16 PM | Permalink | Reply

trustedsignal

Also check out Harlan Carvey's wonderful little utility lslnk.pl, which will parse lnk files and dump timestamps and volume information including volume serial number, if it was a removable volume, and more. Very useful and easier to read than hex dumps.

Posted February 1, 2010 at 5:35 PM | Permalink | Reply

Albert

Does anyone edit these posts? That opening sentence is terrible.

Posted February 1, 2010 at 6:14 PM | Permalink | Reply

Mark Woan

Try lnkanalyser: http://www.woanware.co.uk/lnkanalyser/
it is based on the official Microsoft link file shortcut specification, gets more information than most parsers e.g. NewObjectId Volumes and BirthObjectId Volumes.

Posted February 1, 2010 at 6:31 PM | Permalink | Reply

Adam

While the document by Jesse Hager referenced is a great reference the one below from Microsoft will most likely be a little more accurate and probably will be updated more frequently.
http://msdn.microsoft.com/en-us/library/dd871305(PROT.10).aspx

Posted February 1, 2010 at 11:28 PM | Permalink | Reply

trustedsignal

Albert,
Most posts are reviewed and edited as time permits. True that opening sentence is rough, but I think most folks get the meaning.
We're not all prize winning authors. We are all volunteers working in the field, trying to share knowledge and experiences with others.

Posted February 2, 2010 at 8:43 AM | Permalink | Reply

David

I have to agree with Albert. I'd take the extra 5 mins to properly proof read blog posts. The blog post will be online for years I guess.
Also is it me or are the path's missing the slashes? I seem to recall this on previous SANS forensics blog posts. Makes it tough to read. thanks.
%Drive%:Documents and SettingsUser IDApplication DataMicrosoftOfficeRecent

Posted February 2, 2010 at 9:34 AM | Permalink | Reply

codix

Is there a way to disable such stuff? Disabling the creation of such lnk files?
If "recent documents" are disabled, will those LNKs still be created?
Is there a way to avoid the creation of lnks?

Posted February 3, 2010 at 1:16 PM | Permalink | Reply

Dave Hull

I have cleaned up the opening sentence and hope it's easier to read now. As for the slashes in the path, they are in the original article, but when published in WordPress they were showing up as spaces. I believe I've corrected that, at least they show up in my browser now.

Posted February 7, 2010 at 8:20 PM | Permalink | Reply

Harry Parsonage

codix
You will find the answers to your questions and many others in my paper on link files ''"
http://computerforensics.parsonage.co.uk/linkfiles/linkfiles.htm