LECmd: A Powerful Tool for Investigating LNK Files

When investigating user activity on a Windows system, LNK (shortcut) files serve as a vital source of evidence. However, analyzing them manually or with incomplete tools can result in missing key data. Enter LECmd (LNK Explorer Command Line Edition)—a tool developed by Eric Zimmerman to fully decode and extract every bit of information from LNK files.

-----------------------------------------------------------------------------------------------------

Why LECmd? A Tool That Doesn't Hide Data

Many forensic tools process LNK files, but not all of them extract every available piece of metadata. Some tools selectively drop or ignore certain data structures without notifying the examiner.

LECmd was created to ensure that all metadata from an LNK file is preserved and presented to the investigator. Even if certain data structures appear irrelevant in most cases.

-----------------------------------------------------------------------------------------------------

What Does LECmd Extract from an LNK File?

LNK files contain a wealth of metadata about accessed files and folders. LECmd extracts and organizes this information into several key sections:

1️⃣ Header Information

The header contains essential details about the file, including:

✅ File Timestamps – Creation, modification, and last access times.

✅ File Attributes & Flags – File properties like hidden, system, or read-only status.

✅ File Path & Size – The original location of the file and its size.

✅ Working Directory & Relative Path – The folder the file was stored in and its location relative to system paths.

The creation time of an LNK file represents the first time a user accessed that file, while the modification time indicates the last time the file was opened.

On Live System: (Can be used for collected lnk files)

-----------------------------------------------------------------------------------------------------

2️⃣ Link Information

The Link Information section reveals how the file was accessed:

✅ Drive Type – Whether the file was on a local drive, removable USB, or network share

.✅ Volume Serial Number – Unique identifier for the storage device

✅ UNC Path (if applicable) – Network location if the file was accessed via a shared drive.

If an LNK file points to a USB drive, forensic analysts can match the volume serial number with known USB devices to track data transfers.

-----------------------------------------------------------------------------------------------------

3️⃣ Target ID Information****

This section contains shell items similar to those found in Windows ShellBags, including

✅ Master File Table (MFT) Information – Links to the file’s original NTFS metadata

✅ Timestamps for Folders & Files – Indicates when each part of the file path was created and accessed.

The absolute path in this section can reconstruct the full location of a file or folder, even if it was moved.

---------------------------------------------------------------------------------------------------------

4️⃣ Extra Blocks Information

LNK files often contain additional undocumented metadata, stored in Extra Blocks.

This data includes:

✅ Console Properties – Information about terminal activity.

✅ Property Store Structures – Additional file metadata, sometimes including user interaction details.

Some Extra Blocks store remnants of file paths or folder interactions, even if they are no longer in use.

---------------------------------------------------------------------------------------------------------

How to Use LECmd for Large-Scale Investigations

🔍 Parsing a Single LNK File

To extract all metadata from a single LNK file, use:

LECmd.exe -f "C:\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\Microsoft Edge.lnk"

This command provides the most detailed breakdown of a single LNK file, useful when analyzing a specific file of interest.

---------------------------------------------------------------------------------------------------------

🔍 Parsing an Entire Directory of LNK Files

For bulk analysis, use the -d option to parse all LNK files in a folder:

LECmd.exe -d G:\G\Users --csv "E:\Output for testing" --csvf lnkfile.csv

This is the best method for quickly reviewing user activity, as it produces a CSV report containing timestamps, file paths, and device details.

---------------------------------------------------------------------------------------------------------

Using Timestamps to Uncover User Activity

LNK files contain two sets of timestamps:

1️⃣ Source Timestamps (LNK file timestamps)

• Indicate when the shortcut was created or last updated (i.e., when the user first and last opened the file).

2️⃣ Target Timestamps (File metadata timestamps)

• Indicate the original file’s creation, modification, and last accessed times.

By comparing source and target timestamps, investigators can determine if a file was copied or moved.

🚀 Example:

• A file is copied from a USB drive (D:) to the local system (C:).

• The target creation timestamp on the C: drive will be newer than the target modification timestamp from the D: drive.

• This proves the file was copied from the USB drive rather than created locally.

---------------------------------------------------------------------------------------------------------

Example: Tracking USB File Transfers with LECmd

Imagine an employee is suspected of stealing company documents using a USB drive. Investigators could use LECmd to analyze their LNK files and reveal when and where files were accessed.

🚀 Case Study Walkthrough

1️⃣ Run LECmd on the suspect’s user profile Recent folder:

2️⃣ Review the CSV output and look for references to the USB drive (e.g., D: or E:).

• Target ID Section may include a Volume Serial Number linked to a specific USB.

  

• Target Creation Timestamps may indicate when files were copied to the device.

3️⃣ Confirm that sensitive files were accessed just before removal of the USB.

• If LNK timestamps align with the suspect's departure time, the case for data theft strengthens.

---------------------------------------------------------------------------------------------------------

Conclusion: Why LECmd is a Must-Have Forensic Tool

LECmd provides deep insight into user activity on a Windows system. By fully decoding every piece of metadata from LNK files, investigators can:

✅ Track accessed files and folders

✅ Identify USB devices and removable media use

✅ Prove file movement and copying activity

✅ Analyze timestamps to reconstruct user actions

Whether conducting an insider threat investigation, data exfiltration case, or simply tracking user activity, LECmd is an essential tool for forensic professionals.

--------------------------------------------Dean------------------------------------------------------

Example of Output