On Live System: (Can be used for collected lnk files)
Key Data Extracted from LNK Files:
When parsing LNK files, forensic investigators focus on extracting vital metadata, including:
Source path of the file and its time tags:
Full path
Target file access time (UTC)
Target file creation time (UTC)
Target file modification time (UTC)
Drive type
Volume serial number (Drive serial number)
Volume label
Target file size (bytes)
Additionally, certain fields such as 'Droid file' and 'Birth droid file' may also be present. DROID (Digital Record Object Identification) represents the individual profile of a file and can be utilized by the Link Tracking Service to determine whether the file has been copied or moved.
Command and Execution:
Forensic analysts utilize specialized tools like LECmd to parse LNK files efficiently. The following command demonstrates how LNK file parsing can be executed:
LECmd.exe -d C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent -q --csv .\
In this command:
LECmd.exe represents the executable file of the parsing tool.
-d indicates selecting all directories. (or put location where lnk files are present)
C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent denotes the path where LNK files are located.
-q ensures only the filename being processed is displayed to speed up exporting to CSV.
--csv specifies the output format as CSV.
.\ signifies storing the output in the current working directory.
Conclusion:
Parsing LNK files is a crucial step in digital forensics, enabling investigators to extract essential metadata and uncover valuable evidence. By leveraging specialized tools and understanding the key components of LNK file parsing, forensic analysts can effectively analyze file access history and user activities, contributing to comprehensive forensic investigations.
Comments