Shortcut (LNK) Files

Shortcut files, also known as LNK files, are created by windows automatically whenever a user opens a file. They allow the operating system to quickly and securely access a file. In some cases a LNK file is created by the user for quick access to a location.

A LNK file contains metadata that can then be extracted by forensic software to aid in an investigation. Some of the key pieces of metadata stored in a LNK file are:

  • Path of the file being linked to e.g C:\Users\Example\secret.txt
  • The type of drive that the file is on e.g. fixed HDD, removable media
  • The drive serial number
  • The drive label e.g Samsung USB
  • Time related information
    • First created time
    • Last accessed time

This information can be used to understand if and when a removable drive was connected, what data was accessed on a drive, and provide evidence of file execution. The artifacts related to LNK files provide key information that can prove equally useful in forensic and incident response cases.