Artifact Analysis: LNK Files & Shortcut Forensics

Note

Executive Summary: A Windows LNK file is a shortcut designed to provide a convenient pointer to another file, directory, or application. However, for DFIR analysts, an LNK file is a highly verbose, forensic “time capsule”. When parsed, it reveals detailed metadata about the target file—even if the target has been securely deleted. It captures original file paths, frozen timestamps, and critical volume information, making it essential for tracking user interaction, data exfiltration via USB, and lateral movement across network shares.

1. Technical Overview & Creation Mechanics

The primary philosophy behind LNK files is user convenience. While users can manually create shortcuts on their Desktop, the true forensic value lies in the files generated automatically by the Windows operating system.

When a user opens a non-executable file (e.g., a .pdf document, a .docx file, or a .jpg image) or accesses a remote folder via Windows Explorer, the OS automatically generates a corresponding LNK file to populate the “Recent Items” menu.

Artifact Locations

• User-Created: Scattered across the file system, predominantly on the Desktop or in custom directories.
• System-Generated (The DFIR Target): C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

Tip

Forensic Link: The structure of an LNK file is identical to the embedded streams found within Jumplists. Analyzing LNK files in the Recent folder provides a file-centric view, while Jumplists provide an application-centric view of the exact same user interactions.

2. The Data Payload (The “Chatty Witness”)

A raw LNK file is a complex binary structure. When parsed by forensic tools, it reveals a staggering amount of embedded metadata about the target file at the exact moment the shortcut was created.

1. Target File Path: The absolute path of the original file.
2. Frozen Target Timestamps: The Creation, Modification, and Last Access dates of the target file. Crucially, these timestamps are “frozen” inside the LNK file. Even if an attacker alters or deletes the original file, the LNK file retains the metadata of the file as it existed during the interaction.
3. LNK Timestamps:
   • LNK Creation Date = The first time the user opened the target file.
   • LNK Modification Date = The last time the user opened the target file.
4. Target File Size: The exact byte size of the original file.
5. Volume Information:
   • Drive Type: Fixed (Hard Drive), Network, or Removable (USB).
   • Volume Serial Number (VSN): A unique identifier assigned to the disk when formatted.
   • Volume Label: The human-readable name of the drive (e.g., KINGSTON).
6. Network & Machine Tracking (TrackerData Block): If the target file resided on a network share, the LNK file stores the NetBIOS name and the MAC address of the remote machine hosting the file.

3. Forensic Value in Incident Response

LNK files answer the critical DFIR question: “Did the user or attacker actually interact with this specific file or directory?”

A. Proving the Existence of Deleted Files

This is the superpower of LNK analysis. An attacker might download a malicious script, execute it, and immediately delete it to cover their tracks. While the script is gone, the LNK file generated upon its opening remains in the Recent folder. This provides irrefutable proof of the file’s historical existence, its exact path, and its size.

B. Tracking Infection Vectors (USB Drives)

If an analyst discovers an LNK file pointing to a known malware payload (e.g., invoice.exe), and the LNK’s embedded volume information indicates a “Removable Media” drive type, the initial access vector is definitively proven to be a USB drive. The Volume Serial Number (VSN) can then be used to hunt for the specific physical USB drive within the organization.

C. Tracing Lateral Movement & Data Exfiltration

LNK files are created when documents are accessed across network shares (\\SERVER\Share\document.docx). By parsing LNK files on a compromised workstation, analysts can map out exactly which internal servers the attacker browsed. Extracting the MAC address from the LNK’s TrackerData block allows analysts to positively identify the target server, even if IP addresses have changed.

4. DFIR Tooling and Parsing

Because LNK files are binary, manual analysis via a hex editor is inefficient. DFIR teams rely on automated parsers to extract the metadata into structured formats.

LECmd (Eric Zimmerman)

parse_lnk_files.cmd

:: LECmd (LNK Explorer Command Line) is the industry standard parser.
:: It processes a single LNK or an entire directory, outputting parsed metadata to CSV.

LECmd.exe -d "C:\Forensics\Export\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent" --csv "C:\Forensics\Results" --csvf lnk_analysis.csv

KQL (Creation Anomaly)

hunt_suspicious_lnk_creation.kql

// Hunt for LNK files being created in suspicious directories (e.g., Startup folder for persistence)
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk"
| where FolderPath has_any ("\\Start Menu\\Programs\\Startup\", "\\Users\\Public\")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FolderPath, FileName
| sort by TimeGenerated desc

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: LECmd GitHub Repository
• Related Artifact: Jumplists and Application Usage
• Related Artifact: Tracking Folder Navigation with Shellbags
• Related Artifact: Prefetch (.pf) Execution Analysis