Hi
So Guys, 2 questions about lnk files, in the lnk file shown below, you can see the local path includes alot of Null values, why is that?
and it has a Network path UNC path, what does this refer to? that this folder has been accessed via another machine?
General infomration about the machine, this laptop has local and domain users, when i go to the path in the lnk file, i cannot find the document, i've tried to carve but got nothing on that document.
Thanks.
Link target informtion
Local Path C\Users\<null><null>%<null><null><null><null><null><null><null><null><null><null><null><null><null><null><null><null>\\HQ-21515\Users<null>21515.MRMWR\Desktop\wonderfulstuff.docx\21515.MRMWR\Desktop\ wonderfulstuff.docx
Volume Type Fixed Disk
Volume Serial Number FA51-7CB5
Network Path \\HQ-21515\Users\21515.MRMWR\Desktop\wonderfulstuff.docx
File Size 21898
Creation time (UTC) 7/30/2013 91343 AM +0000
Last write time (UTC) 7/30/2013 94046 AM +0000
Last access time (UTC) 7/30/2013 94151 AM +0000
Hi CopyRight
Could you provide a link to download the link file itself - there are many more fields than the few you have shown (which have alos been through some unknown decoding program) which may tell part of the story
I'll have a look at it with LinkAlyzer and see what that says
http//
Cheers
So Guys, 2 questions about lnk files, in the lnk file shown below, you can see the local path includes alot of Null values, why is that?
No idea.
Which tool produced that output?
…and it has a Network path UNC path, what does this refer to? that this folder has been accessed via another machine?
Nope, not at all. The name of the system you found this on is, "HQ-21515" isn't it?
General infomration about the machine, this laptop has local and domain users, when i go to the path in the lnk file, i cannot find the document, i've tried to carve but got nothing on that document.
That's not unusual at all.
Yeah so this was output by FTK, so i cannot find the document what so ever?? why??!!
Yeah so this was output by FTK, so i cannot find the document what so ever?? why??!!
Just b/c there's an LNK file on the system that points to the file doesn't mean that the file is still there…when the target file is deleted, nothing happens to the LNK file.
dont assume FTK is doing it right. what does the lnk files contents look like in hex? are all those NULL characters there? if not, find a new tool =)
Yeah its quiet funny, cause whenever we find a LNK file to a docment that is deleted, we can easily carve it, but just on this instance, there is no traces what so ever about the document in the computer.
Hmm, LNKparser?
So…nothing further on this?