Forensic investigators use LNK shortcut files to recover metadata about recently accessed files, including files deleted after the time of access. In a recent investigation, FireEye Mandiant encountered LNK files that indicated an attacker accessed files included in Windows Explorer search results. In our experience, this was a new combination of forensic artifacts. We’re excited to share our findings because they help to paint a more complete picture of an attacker’s actions and objectives on targeted systems. Further, these findings can also be leveraged for insider threat cases to determine the path used to locate and subsequently open a file.
Windows LNK Format
The .lnk extension is associated with a class of files known as Shell Items. These binary format files contain information that can be used to access other data objects in the Windows shell (the graphical user interface).
LNK shortcut files are one type of Shell Item. They are created by the Windows operating system automatically when a user accesses a file from a supported application but can also be created by the user manually. LNK shortcut files typically contain metadata about the accessed file, including the file name and size, the original path, timestamps, volume and system information (ex. drive type and system hostname), and network information (ex. network share path). Fortunately, there are tools available that can parse these files. While internally at Mandiant we leverage FireEye Endpoint Security to parse LNK files and identify suspicious user search terms, for the purposes of this blog post we will be using LECmd by Eric Zimmerman.
Parsed metadata within LNK shortcut files is relevant to forensic investigations for multiple use cases, including profiling user activity on a system or searching for references to malware that has since been deleted.