What?

.LNK is the extension used by Shortcut Files in Windows. We normally place a ton of shortcuts on our desktop and sometimes in other folders as well. These shortcuts (LNK) files are binary files that contain information needed by windows to access the target file or folder.

A lnk file contains information like:

Local Base Path to the Target file This is the folder/file which the LNK file is pointing to

to the Target file MAC Times for the LNK file The timestamps when the LNK file was created, modified and last accessed

for the LNK file File size of the LNK File

of the LNK File Keyboard shortcut for the LNK file The LNK file can be associated with a keyboard shortcut. When the specific keys are pressed, the LNK file can be run

for the LNK file Argument lis t for the LNK file Windows can pass certain command line arguments to the target file via the LNK file

t for the LNK file

Why?

Even though the destination application may have been deleted/moved, their shortcuts can still remain. This can help forensic investigators understand what was executed/accessed on the system.

How?

Powerforensics is a PowerShell framework created for Hard Drive Forensic analysis by Jared Atkinson

In order to use it, we need to install the PowerForensics module and import it.

Install-Module -Name PowerForensics Import-Module PowerForensics 1 2 3 Install-Module -Name PowerForensics Import-Module PowerForensics

We can use the Get-ForensicShellLink cmdlet of PowerForensics for performing an analysis on LNK Files.

To view some examples of using GFS, we use the below command

Get-Help Get-ForensicShellLink -examples 1 Get-Help Get-ForensicShellLink -examples

To view a list of parameters, we use the below command

help Get-ForensicShellLink -Parameter * 1 help Get-ForensicShellLink -Parameter *

Path should point to the path of the LNK file we want to investigate.

Volume will be the drive letter to scan and analyze for LNK files. If we do not specify any parameter, it will scan through the current drive for LNK files

VOLUME BASED

Using FTK Imager, we have mounted a forensic image as a read only H: drive. Using GFS, we can parse the entire image, find the LNK files and output the result to Excel using the ImportExcel PowerShell module

Get-ForensicShellLink -VolumeName \\.\H: | Export-Excel demo.csv -AutoSize -FreezeTopRow 1 Get-ForensicShellLink -VolumeName \ \ . \ H : | Export-Excel demo . csv -AutoSize -FreezeTopRow

Above command will create an excel file named demo.csv whose column will be auto-sized and a frozen top row

Analysing the above we can conclude:

FileSize for LNK to folders will always be 0 [My Pictures Lorpix]

will always be [My Pictures Lorpix] Working directory points to Z:\Lorpix . Lorpix could be a folder on a shared network folder mapped as Z:. We can investigate the Hive files to find the network path

Z:\Lorpix . Lorpix could be a folder on a shared network folder mapped as Z:. We can investigate the Hive files to find the network path CommonPathSuffix gives us more information about the target file locations

Path Based

Here, Remnux is a shortcut on my desktop to a virtual machine in virtualbox. We can analyze it by using:

Get-ForensicShellLink -Path C:\Users\lenovo2\Desktop\Remnux.lnk 1 Get-ForensicShellLink -Path C : \ Users \ lenovo2 \ Desktop \ Remnux . lnk

We can see that:

--startvm takes the guid of the virtualbox vm to start

takes the guid of the virtualbox vm to start --comment is a description

We can pipe the output to Get-ForensicFileRecord to get more details about the LNK file and its target file

Get-ForensicShellLink -Path C:\Users\lenovo2\Desktop\Remnux.lnk Get-ForensicShellLink -Path C:\Users\lenovo2\Desktop\Remnux.lnk | Get-ForensicFileRecord -Path {$_.LocalBasePath} 1 2 3 Get-ForensicShellLink -Path C : \ Users \ lenovo2 \ Desktop \ Remnux . lnk Get-ForensicShellLink -Path C : \ Users \ lenovo2 \ Desktop \ Remnux . lnk | Get-ForensicFileRecord -Path { $_ . LocalBasePath }