(EN) LNK file - Forensic Cheatsheet

## Introduction LNK file is pronounced Link file. For your comprehension, it is a shortcut. When you press link file of a program it links to original file and executes it. Because of this feature, LNK file seems like it is made for user convenience. So a user manually creates a link file then how is it used in a digital forensic analysis? The truth is that user is not the only source that create LNK files. When an artifact has its meaning it is because system records user activity to track that user activity. Today we will learn about structure and application of LNK file as an artifact. ## File Path LNK files created by user could exist anywhere. Therefore LNK files could be anywhere on the file system. Important thing you must acknowledge is that LNK file created by system is saved in a fixed path shown below. Well known example for this kind of LNK file is linked with original file which is used often. ``` [Windows 7 and After] - C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent - C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Office\Recent\ [Windows XP] - C:\Documents and Settings\<username>\Recent ``` > [!NOTE] > The fixed path depends on operating system so you must always check what kind of operating system the host use. ## 구조 What I think of LNK file is that its structure is pretty complicated. Because there are numerous structures depending on the flag values. For example, there is `ShellLinkHeader` and if `HasLinkTargetIDList` flag is set, ther will be `LinkTargetIDList` and when there is `HasLinkInfo` flag set there will be `LinkInfo` data inside the data structure. Generally `LinkInfo` structure will be most commonly seen. So `ShellLInkHeader` and `LinkInfo`will be our first guest to be analyzed with some practices. ### ShellLinkHeader | Offset | Size | | | ------ | ---- | ------------------------------------------------ | | 0x00 | 4 | Header Size (**Always : 0x0000004C**) | | 0x04 | 16 | LNK GUID: {00021401-0000-0000-c000-000000000046} | | 0x14 | 4 | | | 0x18 | 4 | | | 0x1C | 8 | Creation Time (FILETIME) | | 0x24 | 8 | Last Accessed Time (FILETIME) | | 0x2C | 8 | Last Modified Time (FILETIME) | | 0x34 | 4 | File Size | | 0x38 | 4 | Icon Index value | | 0x3C | 4 | | | 0x40 | 2 | | | 0x42 | 2 | Unknown (Reserved) | | 0x44 | 4 | Unknown (Reserved) | | 0x48 | 4 | Unknown (Reserved) | - Data Flag value | Value | Identifier | Description | | ---------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | 0x00000001 | HasTargetIDList | The LNK file contains a link target identifier | | 0x00000002 | HasLinkInfo | The LNK file contains location information | | 0x00000004 | HasName | The LNK file contains a description data string | | 0x00000008 | HasRelativePath | The LNK file contains a relative path data string | | 0x00000010 | HasWorkingDir | The LNK file contains a working directory data string | | 0x00000020 | HasArguments | The LNK file contains a command line arguments data string | | 0x00000040 | HasIconLocation | The LNK file contains a custom icon location | | 0x00000080 | IsUnicode | The data strings in the LNK file are stored in Unicode (UTF-16 little-endian) instead of ASCII | | 0x00000100 | ForceNoLinkInfo | The location information is ignored | | 0x00000200 | HasExpString | The LNK file contains environment variables location data block | | 0x00000400 | RunInSeparateProcess | A 16-bit target application is run in a separate virtual machine. | | 0x00000800 | | Unknown (Reserved) | | 0x00001000 | HasDarwinID | The LNK file contains a Darwin (Mac OS-X) properties data block | | 0x00002000 | RunAsUser | The target application is run as a different user. | | 0x00004000 | HasExpIcon | The LNK file contains an icon location data block | | 0x00008000 | NoPidlAlias | The file system location is represented in the shell namespace when the path to an item is parsed into the link target identifiersContains a known folder location data block? | | 0x00020000 | RunWithShimLayer | The target application is run with the shim layer. The LNK file contains shim layer properties data block. | | 0x00040000 | ForceNoLinkTrack | The LNK does not contain a distributed link tracking data block | | 0x00080000 | EnableTargetMetadata | The LNK file contains a metadata property store data block | | 0x00100000 | DisableLinkPathTracking | The environment variables location block should be ignored | | 0x00200000 | DisableKnownFolderTracking | Unknown | | 0x00400000 | DisableKnownFolderAlias | Unknown | | 0x00800000 | AllowLinkToLink | Unknown | | 0x01000000 | UnaliasOnSave | Unknown | | 0x02000000 | PreferEnvironmentPath | Unknown | | 0x04000000 | KeepLocalIDListForUNCTarget | Unknown | - File Attribute Flag |Value|Identifier|Description| |---|---|---| |0x00000001|FILE_ATTRIBUTE_READONLY|Is read-only| |0x00000002|FILE_ATTRIBUTE_HIDDEN|Is hidden| |0x00000004|FILE_ATTRIBUTE_SYSTEM|Is a system file or directory| |0x00000008||Reserved, not used by the LNK formatIs a volume label| |0x00000010|FILE_ATTRIBUTE_DIRECTORY|Is a directory| |0x00000020|FILE_ATTRIBUTE_ARCHIVE|Should be archived| |0x00000040|FILE_ATTRIBUTE_DEVICE|Reserved, not used by the LNK formatIs a device| |0x00000080|FILE_ATTRIBUTE_NORMAL|Is normalNone of the other flags should be set| |0x00000100|FILE_ATTRIBUTE_TEMPORARY|Is temporary| |0x00000200|FILE_ATTRIBUTE_SPARSE_FILE|Is a sparse file| |0x00000400|FILE_ATTRIBUTE_REPARSE_POINT|Is a reparse point or symbolic link| |0x00000800|FILE_ATTRIBUTE_COMPRESSED|Is compressed| |0x00001000|FILE_ATTRIBUTE_OFFLINE|Is offlineThe data of the file is stored on an offline storage.| |0x00002000|FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|Do not index contentThe content of the file or directory should not be indexed by the indexing service.| |0x00004000|FILE_ATTRIBUTE_ENCRYPTED|Is encrypted| |0x00008000||Unknown (seen on Windows 95 FAT)| |0x00010000|FILE_ATTRIBUTE_VIRTUAL|Currently reserved for future use, not used by the LNK formatIs virtual| - Window Action after execution |Value|ID|Description| |---|---|---| |0|SW_HIDE|Hides the window and activates another window.| |1|SW_NORMALSW_SHOWNORMAL|Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.| |2|SW_SHOWMINIMIZED|Activates and minimizes the window.| |3|SW_MAXIMIZESW_SHOWMAXIMIZED|Activates and maximizes the window.| |4|SW_SHOWNOACTIVATE|Display the window in its most recent position and size without activating it.| |5|SW_SHOW|Activates the window and displays it in its current size and position.| |6|SW_MINIMIZE|Minimizes the window and activates the next top-level windows (in order of depth (Z order))| |7|SW_SHOWMINNOACTIVE|Display the window as minimized without activating it.| |8|SW_SHOWNA|Display the window in its current size and position without activating it.| |9|SW_RESTORE|Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.| |10|SW_SHOWDEFAULT|Set the show state based on the ShowWindow values specified during the creation of the process.| |11|SW_FORCEMINIMIZE|Minimizes a window, even if the thread that owns the window is not responding.| - HotKeys **Upper Bytes** |Value|Identifier|Description| |---|---|---| |0x01|HOTKEYF_SHIFT|The shift key| |0x02|HOTKEYF_CONTROL|The control key| |0x04|HOTKEYF_ALT|The alt key| **Lower Bytes** |Value|Identifier|Description| |---|---|---| |0x30 – 0x39||Numeric keys 0 - 9| |||| |0x41 – 0x5a||Upper case alphabetical keys A- Z| |||| |0x70|VK_F1|Function key 1| |0x71|VK_F2|Function key 2| |0x72|VK_F3|Function key 3| |0x73|VK_F4|Function key 4| |0x74|VK_F5|Function key 5| |0x75|VK_F6|Function key 6| |0x76|VK_F7|Function key 7| |0x77|VK_F8|Function key 8| |0x78|VK_F9|Function key 9| |0x79|VK_F10|Function key 10| |0x7a|VK_F11|Function key 11| |0x7b|VK_F12|Function key 12| |0x7c|VK_F13|Function key 13| |0x7d|VK_F14|Function key 14| |0x7e|VK_F15|Function key 15| |0x7f|VK_F16|Function key 16| |0x80|VK_F17|Function key 17| |0x81|VK_F18|Function key 18| |0x82|VK_F19|Function key 19| |0x83|VK_F20|Function key 20| |0x84|VK_F21|Function key 21| |0x85|VK_F22|Function key 22| |0x86|VK_F23|Function key 23| |0x87|VK_F24|Function key 24| |||| |0x90|VK_NUMLOCK|Num lock key| |0x91|VK_SCROLL|Scroll lock key| ### LinkInfo | Offset | Size | Description | | ------ | ---- | -------------------- | | 0 | 4 | LinkInfo size | | 4 | 4 | Header Size | | 8 | 4 | | | 12 | 4 | Volume Information Offset | | 16 | 4 | Local Path Offset | | 20 | 4 | Network Share Offset | | 24 | 4 | Normal Path Offset | `if header size ≥ 0x1C` | Offset | Size | Value | Description | | ------ | ---- | ----- | --------------------------------------------------------------------------------------- | | | | | Local Path Offset (Unicode) | | … | … | | Volume Information | | … | … | | Local Path String (ASCII) (Local Information) | | … | … | | Shared Path String (ASCII) ASCII string terminated by an end-of-string character (Network Share) | `if header size ≥ 0x20` | Offset | Size | Value | Description | | ------ | ---- | ----- | -------------------------- | | … | … | | Shared path Offset (Unicode) | | | … | | Volume Information | | … | … | | Local Path String (ASCII) | | … | … | | Shared Path String (UTF-16 LE) | - Location Flags |Value|Identifier|Description| |---|---|---| |0x0001|VolumeIDAndLocalBasePath|The linked file is on a volumeIf set the volume information and the local path contain data| |0x0002|CommonNetworkRelativeLinkAndPathSuffix|The linked file is on a network shareIf set the network share information and common path contain data| ## Data You might get what is in data structure if you looked in the previous chapter. However we admit that tables above are quite complex. So we will discover only the main information briefly in this chapter. ### Timestamp The essence of LNK artifact is retrieving when and how a certain file was used. So what we can get in the first hand is the creation time of LNK file and the timestamp of the original file linked by LNK file. ### Absolute path & Device Info Inside the LNK file, there are section where file name and path of original file is mentioned. But you must be careful since different types of encodings are used in each cases. Also there are Volume Information of the device where executed file is located which helps to distinguish whether that device is a local one or external one. > [!Warning] Cautions > > Do you remember that different data encodings were used by structure? Unicode(UTF-8), ASCII and Unicode(UTF-16LE) encodings are used to handle data depending on the header size. This is why there are frequent corrupted outputs when data parsing tools are used. Don’t simple blame tools for error, but change its encodings to get a proper results. ## Analysis Tool - 010-editor ( [LNK format](https://www.sweetscape.com/010editor/repository/files/LNK.bt) ) - LNK parser ( [download](http://forensic.korea.ac.kr/tools/20170327_LinkParser.exe) ) ## Conclusion LNK files are used quite a lot… But there are not so many cases that you have to rely on. Since it may be dark under the lamp if you use this artifact in proper situations it would be enough. There are lots of information to handle but there are few that you might need so just have in mind that there could be some wrong outputs that are not actually wrong. And try making a tool using structures given in this article for a practice. Good Luck :)