Windows recent and ...
 
Notifications
Clear all

Windows recent and link files

7 Posts
4 Users
0 Likes
449 Views
(@firewire)
Posts: 14
Active Member
Topic starter
 

Hi, apart from the manual action of opening or saving of files, what could typically cause files being placed in the recent documents list?

I understand this can be done automatically or programmatically by accessing the Windows API or specifically the SHAddToRecentDocs() function within Window's shell32.dll.

Are there any applications or system functions that typically effect this?

Many thanks for any guidance on this.

 
Posted : 18/12/2012 4:11 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not really sure what you're asking here…

You mention "recent documents list", which I assume is the RecentDocs key in the Registry…or I could be wrong, and what you mean is the application-specific dropdown list of recently accessed documents. Or, you could mean the Jump Lists, which are part of the Windows 7 Taskbar.

How does the "recent documents list" relate to the LNK files, with respect to your question?

 
Posted : 18/12/2012 5:39 pm
(@firewire)
Posts: 14
Active Member
Topic starter
 

Hi, apologies for the lack of clarity.

Essentially what I am asking is what could initiate the creating of shortcut files in the Windows XP recent documents folder for a given user account apart from the manual action of opening or saving the files e.g. image files.

Many thanks.

 
Posted : 18/12/2012 7:05 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm sure that there might be calls to APIs that would result in this, but most often, it's the user interaction.

I'm not sure what it is you're looking for, but it might be useful to use additional artifacts to provide you with a greater level of relative confidence in the data that you're looking at. For example, if you can find other artifacts temporally 'near' the creation date of the LNK file that would indicate that the user took a particular action, you might have a greater relative confidence that this is what actually happened.

 
Posted : 18/12/2012 7:42 pm
(@randomaccess)
Posts: 385
Reputable Member
 

link files in general or specifically related to a file?
because if in general then the lnk shortcut files for applications could be created anywhere. so its possible that theyre created in the same directory as the user-access link files
but unlikely

 
Posted : 19/12/2012 12:15 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

The most likely place you'll find artefacts to verify the lnk files is Internet Explorer index.dat files. You should get "file\\\.." entries which match the creation date of your shortcuts.

For example, if you have a "mypicture.lnk" file in "Recent", created on 13/10/2012 at 1330, which points to "c\naughtythings\mypicture.jpeg" then you may find a correlating entry in an index.dat at the same time which is something like "file///C/naughtythings/mypicture.jpeg".

 
Posted : 19/12/2012 1:33 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think that Chris and RandomAccess have raised some pretty important points…

Your question regarding the creation of LNK files in the user profile's Recent folder is still a bit too vague…you have to include looking at the contents of the LNK file itself to see what resource each points to, as well as look at other artifacts that are temporally "near" the creation date of the LNK file itself.

This does raise another, albeit ancillary and potentially tangential subject…the format and structure of LNK files. Within the specification for LNK files, the shell item ID lists are rarely parsed, which is something that can lead to significant issues in analysis.

 
Posted : 19/12/2012 6:28 pm
Share: