Pau Lo
asked on
how can you see .lnk files
How can you see .lnk files on an XP machine. I was told for each file you open or program you run, it creates a lnk file. If I open say my excel worksheet on my desktop, how and where can I see that lnk file? Are they just hidden OS files? Is there a default location for them? http://www.forensicswiki.org/wiki/LNK
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was thinking perhaps each file opened at one point in time has a *.lnk file in the below directories, so technically at one point they do exist for each file accessed:
C:\Documents and Settings\username\Recent
C:\Documents and Settings\username\Applicat ion Data\Microsoft\Office\Rece nt
Just wondering if these files end up anywhere else?
C:\Documents and Settings\username\Recent
C:\Documents and Settings\username\Applicat
Just wondering if these files end up anywhere else?
There will be entries in the registry in the MRU (Most Recently Used) file list, but I doubt that any other .lnk files will be created anywhere else.
That doesn't mean that things such as Audit logs etc won't be created if the auditing function is turned on...
That doesn't mean that things such as Audit logs etc won't be created if the auditing function is turned on...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So lnk files are typically just in recent document areas of the file system, such as:
C:\Documents and Settings\username\Recent
C:\Documents and Settings\username\Applicat ion Data\Microsoft\Office\Rece nt
And typically not anywhere else unless purposelly created as a shortcut or created when installing software
C:\Documents and Settings\username\Recent
C:\Documents and Settings\username\Applicat
And typically not anywhere else unless purposelly created as a shortcut or created when installing software
Yes, actually it can be anywhere but pls see this as well
http://www.tzworks.net/prototype_page.php?proto_id=11
While shortcut files can reside in just about any directory, the primary location for many shortcut files is: %APPDATA%\ Microsoft\ Windows\ Recent\ <shortcut files>, where the %APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. This is where the operating system automatically creates a shortcut based on a user double clicking on an application to launch it.
http://www.tzworks.net/prototype_page.php?proto_id=11
While shortcut files can reside in just about any directory, the primary location for many shortcut files is: %APPDATA%\ Microsoft\ Windows\ Recent\ <shortcut files>, where the %APPDATA% is resolved to C:\Users\<user account>\AppData\Roaming. This is where the operating system automatically creates a shortcut based on a user double clicking on an application to launch it.
ASKER
Cheers breadtan
Any idea the defaults for how long the recent folders keep the lnk files for on XP, and also what happens when the deadline comes, are they just unreferenced and end up in unallocated clusters? i.e. if ...
C:\Documents and Settings\username\Recent
...Is designed to only keep lnk's for 2 months, can they still be recovered after 2 months with forensics techniques?
Any idea the defaults for how long the recent folders keep the lnk files for on XP, and also what happens when the deadline comes, are they just unreferenced and end up in unallocated clusters? i.e. if ...
C:\Documents and Settings\username\Recent
...Is designed to only keep lnk's for 2 months, can they still be recovered after 2 months with forensics techniques?
Actually was looking at this paper and probably you can check out as well. As of now, I do not see any limit period in the storing of the recent item as I see it still like a file itself storing under it unless it is purposedly recycle or clean up
http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf
Excerpt
The definite exception to the Observation Five is in the case of files saved by Microsoft Office applications (2003 & 2007). When a file is created in an Office application and it is first saved, a link file is created in both the user’s Recent folder and Office Recent folder. The link file in the Office Recent folder appears from observation to always contain embedded dates when it is first created but the one in the Recent folder contains no embedded dates.
The conclusion to be drawn from Observation Five is that if a link file does not contain embedded dates that target file has not been opened since the link file was created. The converse is not necessarily true but the content of the embedded dates will be an indicator, i.e. if they are almost contemporaneous with the link file Created, Accessed and Modified then the target file has not been opened since the link file was created.
http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf
Excerpt
The definite exception to the Observation Five is in the case of files saved by Microsoft Office applications (2003 & 2007). When a file is created in an Office application and it is first saved, a link file is created in both the user’s Recent folder and Office Recent folder. The link file in the Office Recent folder appears from observation to always contain embedded dates when it is first created but the one in the Recent folder contains no embedded dates.
The conclusion to be drawn from Observation Five is that if a link file does not contain embedded dates that target file has not been opened since the link file was created. The converse is not necessarily true but the content of the embedded dates will be an indicator, i.e. if they are almost contemporaneous with the link file Created, Accessed and Modified then the target file has not been opened since the link file was created.
ASKER