Shortcut files, also known as LNK files, are created by windows automatically whenever a user opens a file. They allow the operating system to quickly and securely access a file. In some cases a LNK file is created by the user for quick access to a location.
A LNK file contains metadata that can then be extracted by forensic software to aid in an investigation. Some of the key pieces of metadata stored in a LNK file are:
- Path of the file being linked to e.g C:\Users\Example\secret.txt
- The type of drive that the file is on e.g. fixed HDD, removable media
- The drive serial number
- The drive label e.g Samsung USB
- Time related information
- First created time
- Last accessed time
This information can be used to understand if and when a removable drive was connected, what data was accessed on a drive, and provide evidence of file execution. The artifacts related to LNK files provide key information that can prove equally useful in forensic and incident response cases.