Forensic Analysis of LNK Files
LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier.
Fig.1. Windows Desktop Shortcuts
Normally, most of LNK-files are located on the following paths:
- For Windows 7 to 10: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent
- For Windows XP: C:\Documents and Settings\%USERNAME%\Recent
However, there many other places where investigators can find LNK files:
- On the desktop (such shortcuts are usually created by users to secure quick access to documents and apps)
- C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Office\Recent\ (for Microsoft Office documents on Windows 7 to 10)
- C:\Users\%USERNAME%\Downloads (Sometimes users send shortcuts via e-mails to other users instead of the documents to be delivered. Consequently, other users download those shortcuts. Again, this is for Windows 7 to 10)
- Startup folder
Fig.2. Shortcuts Found in the Recent Folder as shown by Belkasoft Evidence Center
Contents of Shortcuts
Before Microsoft published the information about the format of LNK files, researchers had tried to describe the format by themselves. The complexity of such research is that the different shortcuts contains different data. Correspondingly, when you analyze one shortcut type, the contents and amount of data may be different than when analyzing another shortcut type. Besides, in Windows 10, new fields are present that cannot be found in earlier versions.
So, what kind of information does a LNK file contain? Belkasoft Evidence Center digital forensic software displays the following three sections with data related to LNK file: 'Metadata', 'Origin', and 'File'.
Fig.3. 'Metadata' Section Contains Multiple Details About a Target File
The most important data displayed by the 'Metadata' Section include:
- Source path of a file and its time tags (Full path, Target file access time (UTC), Target file creation time (UTC), Target file modification time (UTC))
- Drive type
- Volume serial number (Drive serial number)
- Volume label
- NetBIOS name
- Target file size (bytes), i.e. the size of the file with which the shortcut is associated
As you can see, such fields as 'Droid file' and 'Birth droid file' can be found. DROID (Digital Record Object Identification) is the individual profile of a file. This structure (i.e. that of a droid file) can be used by the Link Tracking Service in order to determine whether the file has been copied or moved.
Fig.4. 'Origin' Section Tells Where Selected Artifact Was Extracted From
Fig.5. 'File' Section Shows File System Metadata of a LNK File
In the 'File' section you can see the MAC-address of the device on which this shortcut was created. This information may help you identify the device associated when the LNK file was created.
While conducting an investigation, one should pay attention to the time tags of a LNK file. The reason for that is that, as a rule, the time of file creation corresponds either to the time the file was created by a user or to the time of the first file access event associated with a shortcut. As for the time modification time, it normally corresponds to the last file access event associated with a shortcut.
If one examines the 'Recent' folder described above, up to 149 LNK files will be found there. What should be done, if the shortcut we need was deleted? The answer is simple: for sure, it should be recovered! Recovery of LNK-files can be executed with the file header signature, hex: 4C 00 00 00.
In order to specify the file header, one should start with the program menu: 'Tools'—'Options'. Then the 'Carving' tab is needed. Click on 'Add' button to create a new signature. You can learn about the carving methods with Belkasoft Evidence Center in greater details in the article 'Carving and its Implementations in Digital Forensics'.
Fig.6. Adding a Custom Signature (Header)
Using LNK Files with Information Security Incidents
Compromising an Attacked System
Over 90% of malware is distributed via e-mails. Normally, malware e-mails contain either a link to a network resource or a specifically designed document. If such a document is opened, malware will be downloaded to a machine.
Likewise, LINK files are used for hacking attacks.
Fig.7. 'Metadata' Section Associated with a Malicious LNK file
The general rule is that such a LNK file contains a PowerShell code which is executed when users try to open the shortcuts previously sent to them. As you can see in Fig.7, such shortcuts can be easily detected with Belkasoft Evidence Center: there is a path to an executable powershell.exe in the metadata. In the 'Arguments' field, there are arguments of a PowerShell command and encrypted 'payload'.
Embedding in a Compromised System
One of the methods to use LNK files is to embed them in a compromised system. In order to activate malware whenever a corresponding machine is turned on, the following trick can be utilized. A LNK file with a link to an executable malware file (for example, to a file with the loader code) should be created, a shortcut is to be placed at the following address: C:\Users\%User profile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
In this case, as soon as a machine is launched, the malware will be activated as well. Such shortcuts can be found in the 'File system' tab of Belkasoft Evidence Center.
Fig.8. 'PhonerLite.lnk' Shortcut in Startup
LNK files are Windows system files which are important in a digital forensic and incident response investigations. They may be created automatically by Windows or manually by a user. With the help of these files you can prove execution of a program, opening a document or a malicious code start up.
Belkasoft Evidence Center can help you to locate existing LNK files, recover deleted ones and help to analyze their contents.