Notifications
Clear all

lnk files analysis

8 Posts
4 Users
0 Reactions
797 Views
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

Hi

So Guys, 2 questions about lnk files, in the lnk file shown below, you can see the local path includes alot of Null values, why is that?

and it has a Network path UNC path, what does this refer to? that this folder has been accessed via another machine?

General infomration about the machine, this laptop has local and domain users, when i go to the path in the lnk file, i cannot find the document, i've tried to carve but got nothing on that document.

Thanks.

Link target informtion

Local Path C\Users\<null><null>%<null><null><null><null><null><null><null><null><null><null><null><null><null><null><null><null>\\HQ-21515\Users<null>21515.MRMWR\Desktop\wonderfulstuff.docx\21515.MRMWR\Desktop\ wonderfulstuff.docx

Volume Type Fixed Disk

Volume Serial Number FA51-7CB5

Network Path \\HQ-21515\Users\21515.MRMWR\Desktop\wonderfulstuff.docx

File Size 21898

Creation time (UTC) 7/30/2013 91343 AM +0000
Last write time (UTC) 7/30/2013 94046 AM +0000
Last access time (UTC) 7/30/2013 94151 AM +0000


   
Quote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

Hi CopyRight

Could you provide a link to download the link file itself - there are many more fields than the few you have shown (which have alos been through some unknown decoding program) which may tell part of the story

I'll have a look at it with LinkAlyzer and see what that says
http//sandersonforensics.com/forum/content.php?115-LinkAlyzer

Cheers


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

So Guys, 2 questions about lnk files, in the lnk file shown below, you can see the local path includes alot of Null values, why is that?

No idea.

Which tool produced that output?

…and it has a Network path UNC path, what does this refer to? that this folder has been accessed via another machine?

Nope, not at all. The name of the system you found this on is, "HQ-21515" isn't it?

General infomration about the machine, this laptop has local and domain users, when i go to the path in the lnk file, i cannot find the document, i've tried to carve but got nothing on that document.

That's not unusual at all.


   
ReplyQuote
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

Yeah so this was output by FTK, so i cannot find the document what so ever?? why??!!


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Yeah so this was output by FTK, so i cannot find the document what so ever?? why??!!

Just b/c there's an LNK file on the system that points to the file doesn't mean that the file is still there…when the target file is deleted, nothing happens to the LNK file.


   
ReplyQuote
EricZimmerman
(@ericzimmerman)
Estimable Member
Joined: 13 years ago
Posts: 222
 

dont assume FTK is doing it right. what does the lnk files contents look like in hex? are all those NULL characters there? if not, find a new tool =)


   
ReplyQuote
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

Yeah its quiet funny, cause whenever we find a LNK file to a docment that is deleted, we can easily carve it, but just on this instance, there is no traces what so ever about the document in the computer.

Hmm, LNKparser?


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

So…nothing further on this?


   
ReplyQuote
Share: