Computer Forensics Miscellany

Link Files

I have always considered that there should be some forensically useful conclusions that could be drawn from the different dates and times associated with Windows Shortcut Files (referred to here as link files). A common request to an examiner might be “can you tell whether the suspect has viewed this file after it has been downloaded”; the aim of this paper is to answer that question and at the same time provide other related information that will be of practical value in computer examinations.

Each link file has its own Created, Modified and Accessed dates and within each link file there are Created, Modified and Accessed dates which belong to the target file. In addition, if the target file still exists on the media, that file has its own three dates.

The purpose of this paper is to explore how these nine dates relate to each other and what conclusions can be drawn from the relationships that exist.

In addition to the dates within link files there may be Globally Unique Identifiers (GUIDs) embedded in a link file which can provide information about the origins, history and movement of the target file.

The Meaning of Link Files in Forensic Examinations

My colleague Paul Tew has developed a program to parse link files. The latest release is in line with the current MS-SHLLINK v5.0 document.

There are three executables in the latest release which all work in exactly the same way using the same command-line switches:

  • Win x86
  • Win x64
  • Linux

These are available here.