If you wanted to build a car from scratch, it would be smart to first know the different components of a car. Why should an investigation involving computers be any different? That is why Digital Forensic Investigators go beyond what the average user can see, and search under “the hood” of the Operating System (OS).
The Shorthand Answer:
There are multiple methods at an investigator’s disposal that provide significant proof a user’s account has accessed a file. One of these being the .LNK file (shortcut file). The Windows OS has blessed investigators with multiple system files; holding incredible amounts of system knowledge. Although the intended purpose is to allow the OS to run as efficiently and properly as possible, these “behind-the-scenes” files can help disclose secrets about what happened on the computer. A .lnk is automatically created any time a user opens a file locally or remotely for the first time. This file can tell an investigator if the user:
- Has accessed a specific file
- The name of the file
- The original path to the target file (the file it is referencing)
- MAC (Modified, Accessed, Created) timestamps of the target file and the .lnk file
- The size of the target file
- Attributes of the target file (read-only, hidden, system)
In this DFS post we will be discussing the concept of Forensic artifacts and “.LNK” files with the hopes you can better understand the tactics of a Digital Forensic Examiner.
Behind the Curtain & Artifacts
When a standard computer user opens a file, although he/she may notice no changes to his/her computer, there are many actions going on in the background. Multiple system files are being written to, logging helpful information such as time/date, file path, file name, etc. These background processes help Windows run smoothly with abundant error checking and logging. If an error were ever to arise, the data could help determine how the issue occurred. This same information can be very helpful to a computer forensic investigator. Referred to as “Forensic Artifacts”, these Windows system files can help accurately reveal past actions of a user’s account. Everything from user login, to file opening, to USB thumbdrive use, are potentially logged within these files.
Think of this like an archaeological dig where we are uncovering clues about past civilizations. However, instead of looking at pottery and arrowheads, we are sifting through files that reside within the Windows Operating System. There are quite a few forensic artifacts, each serving a special role in investigations. Some artifacts are specific to a single user and others may be system-wide. Here are just a few examples of forensic artifacts:
- Prefetch: lists all files quickly called by an application, to better optimize start up and efficiency of the application.
- Shellbags: An MRU (Most Recently Used) list of window positions for folders that have been opened
- USBSTOR: Holds a list of removable USB devices that have been used on the system
For our purposes we are going to focus on one of the artifacts that appear when a user opens a file or application. The famous “.LNK” or “Link” file.
Although you may not be familiar with the extension “.lnk”, there’s a strong chance you have intentionally created a file with this filetype. Believe it or not, a Windows .LNK extension is also known as a “shortcut” file. Anytime you have right-clicked on a file and selected “Create shortcut”, you have manually created a .lnk. The main purpose of the .lnk is to redirect you to a specific path almost like a teleportation device. You may have seen some software installation prompts asking if you wanted to “Create a shortcut on the desktop”. This is basically doing that right-click “Create Shortcut” task for you.
The majority of users interact with an application through this icon on the desktop. Little do they know, the application is actually comprised of multiple files. A program like Google Chrome has about 5,000 individual files on a typical user account. Upon installation, the installer is placing all of these files in a specific location and then asks if you would like to make a shortcut on the Desktop. This way you don’t have to dig through those 5,000 files to find the right one that runs Google Chrome. This would be a huge waste of time if you had to do this whenever you wanted to browse the web. So that is why shortcut files are important for the user. But then how are they useful in computer forensics?
As stated in the shorthand, Windows also automatically creates a lnk file every time a user locally or remotely accesses the file for the first time. These .lnk files are saved to the path:
They too, are just shortcuts that link right back to the folder containing all of the application’s files. Along with the name of the application/file the user has accessed, you get the path of the original file, the MAC timestamps of the original file, the size of the original file, the date/time the application was first accessed, and attributes of the original file. Windows does allow this feature to be turned off, and the files to be deleted, so it is always a good idea to use this artifact as evidence along with others such as “Prefetch”. However, if an lnk file is present on the system for a specific application, then that particular file was definitely run by that user account. Although many tools exist that can parse these files, I have always had great luck with “LECmd.exe” and “Link Parser”. Here are some example pictures of how .lnk files look on the system:
Figure 1: shows what the lnk files look like to the user.
Figure 2: shows some other files are displayed in the forensic tool FTK Imager
*Note: Although a user’s account may suggest certain actions, there is no guarantee of who was behind the keyboard at the time. Additional data/evidence must be linked for this to be proved (did anyone else know the account password, anyone who had access to the device, was there footage or id card swipe access to the room, etc).