SANS Digital Forensics and Incident Response Blog: Tag - lnk

It's the little things (Part One)

For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor "tidbits". These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a "scrubbed PC."

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

XP stores the .lnk files for the Word 2007 Document Brains.docx in: