Computer Forensics Miscellany

Link Files

I have always considered that there should be some forensically useful conclusions that could be drawn from the different dates and times associated with Windows Shortcut Files (referred to here as link files). A common request to an examiner might be “can you tell whether the suspect has viewed this file after it has been downloaded”; the aim of this paper is to answer that question and at the same time provide other related information that will be of practical value in computer examinations.

Each link file has its own Created, Modified and Accessed dates and within each link file there are Created, Modified and Accessed dates which belong to the target file. In addition, if the target file still exists on the media, that file has its own three dates.

The purpose of this paper is to explore how these nine dates relate to each other and what conclusions can be drawn from the relationships that exist.

In addition to the dates within link files there may be Globally Unique Identifiers (GUIDs) embedded in a link file which can provide information about the origins, history and movement of the target file.

The Meaning of Link Files in Forensic Examinations