Forums
Main Category
General (Technical,...
LNK Files
 
Notifications
Clear all

LNK Files

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by binarybod 8 years ago
3 Posts
3 Users
0 Reactions
1,268 Views
RSS
 ahigdon
(@ahigdon)
Active Member
Joined: 9 years ago
Posts: 7
Topic starter 29/08/2017 5:14 pm  

What is the best way to determine if a LNK file was user created or Windows created?

Thanks,
Andy


   
Quote
 colins5286
(@colins5286)
New Member
Joined: 8 years ago
Posts: 2
30/08/2017 7:49 am  

I suppose for me it would be the context surrounding the LNK file. What is its current location on the HDD?

I would examine the LNK and establish what it is a shortcut to. If it's a user file, such as a word document or spreadsheet etc, then the LNK goes to support that it's a user established LNK.
If it relates to an application, then a quick 'test' installation would show if a shortcut is created by default.


   
ReplyQuote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
09/09/2017 6:37 pm  

The above advice is good.

Have a look at http//computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf

Use a tool to extract the embedded data.

Experimentation is a good idea - for example Can you get Windows to create a similar file in that location in another machine? Are the differences explainable (different dates for example)?

I could go on for ages but if you approach the problem in a scientific manner then it will help.

I have written a command-line (cmd or Powershell) tool to extract embedded data available at
https://github.com/Paul-Tew/lifer/tree/master/executables/v3.0.18/

Other tools are available 😉


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: