We've all heard of "Link" or "LNK" files, right? You want a faster way to open your favorite game, document or application without need to navigate to it's directory each time, so you create a shortcut file. Yeah yeah, we've done that; but did you know that Windows is creating these shortcut or "LNK" files for you each time a file is created and opened?
The Rundown
Windows 7-11 Location: C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent
Windows XP Location: C:\Documents and Settings\%username%\Recent\
LNK files can be used to show file/folder interaction
A LNK file can also be created upon creation of a file
Non executable files that are interacted with create two LNK files (target file and parent folder of target file)
Typically limited to 149 LNK files per user (these will then be overwritten as more files are interacted with). NOTE: Newer systems may be limited to 20 LNK files per extension or filetype
Can potentially be recovered utilizing forensics software and extracting from unallocated space within the filesystem
A LNK is known as a "shell" item
Can contain file MAC timestamps, Volume information, path and location, and drive letters
LNK files can be used to show what a Threat Actor (TA) interacted with on the system and help identify files that are no longer on the system, but had presence. This can also be useful for indications of suspicious data-exfiltration and suspicious file interaction
Creation of a file on Windows 10+ will create a LNK file
Will require forensics tool to parse (such as Eric Zimmerman's LECmd)
Can be easily cleared or deleted by a TA
Now that I have your attention, lets dive a bit into what exactly a LNK file is. Although a LNK file is a shortcut in a nutshell, it can also be categorized as what's known as a "Shell" item. The definition behind a Shell item is fairly straight forward. Think of a "shell". Usually there's something contained therein, right? Well, this is the same for LNK files and Windows Shell files. These essentially contain data that point to another file. Let's circle back briefly to the shortcut file you created for your favorite game. You created this file (or it was automatically created when the game/software was downloaded) to more easily access the file, right? Well, the shortcut file that was created essentially points to the actual location of the file. Hence, a shell file. We'll discuss other types of shell files such as Jumplists and Shellbags another day.
The "shell" file can contain information such as a location, shared path, timestamps, various metadata such as size, and even the record location on the filesystem. You can see where I'm going with this right? A single LNK file can contain a large amount of interesting information.
We don't want to hear about automatic shortcuts that we can clearly see are created when we install a new application or software, right? We're here to dig a bit deeper and learn how to utilize these in real investigations.
As I mentioned earlier, you may not know that Windows is creating LNK files for you each time you interact with a file. Don't believe me? Go ahead and navigate to the 'C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent' directory and see what's in there. Note that this location is valid for Windows 7-11. Windows XP systems will have these located in 'C:\Documents and Settings\%username%\Recent\'
Well, what did you find? Over 100+ different LNK/Shortcut files of various files you interacted with through your regular use of your laptop?
Great! You found the LNK files! Investigation over, right? Well, lets learn a bit more about how these files operate. Once we better understand what a LNK file really is, we can be a bit more confident in using these for investigations and reports.
Typically, the Windows OS will create two LNK files when a non executable file is opened. Think of your Word documents, PDFs, text files, etc. This includes a target file and the folder where the target file resided. More data and timestamps!
You might be asking, well I know I've opened more than 100 files before, why am I only seeing a lower number of LNK files created? Well, this is because the Recent folder (the location where LNK files reside) can only hold 149 files within this directory on older systems and 20 per filetype on Windows 10+. So think of LNK files as being fairly volatile. During your investigation, take note that everything you're opening on the impacted system is generating additional artifacts in the background. You could be overwriting useful LNK files as you investigate the system! This is why creating a separate image, whether triage or a full disk capture, is extremely important.
When you analyze a LNK file, you'll notice there are numerous timestamps displayed. This can be used to show the first and last time the file was interacted with.
Remember when you looked at your "Recent" folder? Let's head back there and take another look at the timestamps. You'll notice two timestamps within your File Explorer view. Created and Modified. Note that the Modified timestamp shows you the last time the file was interacted with and the Created indicates the first time.
Have a good understanding of LNK files yet? Let's dig a bit deeper utilizing the tool mentioned above. Eric Zimmerman's LECmd tool. This will parse a LNK file and extract more useful information from it. Remember, a LNK file is a shell item? This means that there's more information contained within this file, we just need a way to extract and normalize it.
Although this writeup won't go into detail on how to use the aforementioned tool (that can be for another day), this is what you can expect the results to be if run against a "Recent" directory.
As we can see, a wealth of information is displayed. As we had learned, we can see the "source" and "target" timestamps as well as the filename, volume information, path, etc. Now imagine running this in bulk against all user folders on a system and viewing the LNK files in a CSV! This can contribute to an overall timeline of your event.
Keep in mind that with most Windows artifacts, such as Event Logs for example, the LNK files and "recent" folder can be cleared by a TA. As shown in the below image, I was able to clear the Recent Items directory. Although there are many pieces of an intrusion analysis investigation, this is only one approach to assist with your analysis.
The Technical Part
LNK files can be broken into four general parts.
Header
Link data
Target ID data
Unused blocks of data for additional information
Header
This will contain the useful information for intrusion analysis, such as the MAC timestamps, and the header information. This includes the file size, any flags present within the file, and the directory/path of the file.
Link Data
Defines the structure of the data such as the volume and serial number of where the LNK target file resides.
Target ID Data
This can contain the absolute path of the target file
Unused Blocks of Data
Anything not contained within the aforementioned three locations, can reside here.
Practical Use Cases
LNK files should be collected with nearly all of your IR case collection from each user folder present on the system. This can be done in bulk by scripting or utilizing a triage collection tool such as RedLine or KAPE
LNK files can help determine what files were interacted with by an unknown TA during the time of impact
Although data-exfiltration can be difficult to prove, examining the LNK files for a known compromised account can help identify what the TA may have interacted within
Having a variety of timestamps (source and target) can help better determine when an incident may have occurred and can be added into your overall IR timeline
Resources:
- KAPE https://www.kroll.com/en
- RedLine https://fireeye.market/apps/211364
- Eric Zimmerman Tools https://ericzimmerman.github.io/#!index.md