±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27614
Visitors: 61

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Windows recent and link files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Windows recent and link files

Post Posted: Mon Dec 17, 2012 5:11 pm

Hi, apart from the manual action of opening or saving of files, what could typically cause files being placed in the recent documents list?

I understand this can be done automatically or programmatically by accessing the Windows API or specifically the SHAddToRecentDocs() function within Window's shell32.dll.

Are there any applications or system functions that typically effect this?

Many thanks for any guidance on this.  

firewire
Member
 
 
  

Re: Windows recent and link files

Post Posted: Tue Dec 18, 2012 6:39 am

I'm not really sure what you're asking here...

You mention "recent documents list", which I assume is the RecentDocs key in the Registry...or I could be wrong, and what you mean is the application-specific dropdown list of recently accessed documents. Or, you could mean the Jump Lists, which are part of the Windows 7 Taskbar.

How does the "recent documents list" relate to the LNK files, with respect to your question?  

keydet89
Senior Member
 
 
  

Re: Windows recent and link files

Post Posted: Tue Dec 18, 2012 8:05 am

Hi, apologies for the lack of clarity.

Essentially what I am asking is what could initiate the creating of shortcut files in the Windows XP recent documents folder for a given user account apart from the manual action of opening or saving the files e.g. image files.

Many thanks.  

firewire
Member
 
 
  

Re: Windows recent and link files

Post Posted: Tue Dec 18, 2012 8:42 am

I'm sure that there might be calls to APIs that would result in this, but most often, it's the user interaction.

I'm not sure what it is you're looking for, but it might be useful to use additional artifacts to provide you with a greater level of relative confidence in the data that you're looking at. For example, if you can find other artifacts temporally 'near' the creation date of the LNK file that would indicate that the user took a particular action, you might have a greater relative confidence that this is what actually happened.  

keydet89
Senior Member
 
 
  

Re: Windows recent and link files

Post Posted: Wed Dec 19, 2012 1:15 am

link files in general or specifically related to a file?
because if in general then the lnk shortcut files for applications could be created anywhere. so its possible that theyre created in the same directory as the user-access link files
but unlikely  

randomaccess
Senior Member
 
 
  

Re: Windows recent and link files

Post Posted: Wed Dec 19, 2012 2:33 am

The most likely place you'll find artefacts to verify the lnk files is Internet Explorer index.dat files. You should get "file:\\\.." entries which match the creation date of your shortcuts.

For example, if you have a "mypicture.lnk" file in "Recent", created on 13/10/2012 at 13:30, which points to "c:\naughtythings\mypicture.jpeg" then you may find a correlating entry in an index.dat at the same time which is something like "file:///C:/naughtythings/mypicture.jpeg".  

Chris_Ed
Senior Member
 
 
  

Re: Windows recent and link files

Post Posted: Wed Dec 19, 2012 7:28 am

I think that Chris and RandomAccess have raised some pretty important points...

Your question regarding the creation of LNK files in the user profile's Recent folder is still a bit too vague...you have to include looking at the contents of the LNK file itself to see what resource each points to, as well as look at other artifacts that are temporally "near" the creation date of the LNK file itself.

This does raise another, albeit ancillary and potentially tangential subject...the format and structure of LNK files. Within the specification for LNK files, the shell item ID lists are rarely parsed, which is something that can lead to significant issues in analysis.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1