I recently read the paper on here titled "Evidentiary Value of Link Files", and found it useful and interesting, especially since i'm quite new to forensics and certainly windows short cuts.
The issue i have is that the paper reads that FTK displays .lnk files as follows
FTK Shortcut File
Link target information
Local Path C\Documents and Settings\126020\xxxxx\xxxxx
Volume Type Fixed Disk
Volume Serial Number 04CE-2410
File size 0
Creation time (UTC) 6/2/2005 120805 PM
Last write time (UTC) 6/2/2005 121427 PM
Last access time (UTC) 6/2/2005 121454 PM
File attributes
Directory
Optional fields
Relative Path ..\..\..\..\Documents and Settings\126020\xxxxxxt\xxxxxxx
Target system information
NetBIOS name xxxxxxx1025
MAC address 00-0c-xx-6c-xx-d4
However, when i try to add a .lnk file to a case in FTK, it shows its extention as .lnk before i add it but after it is added it is actually the exe to which the .lnk file pointed that has been added. Also, if i did add the .lnk file, how would i get the data from it to be displayed as above?
X-Ways lets me add .lnk files no problem, but it doesn't display the data in the way mentioned in the paper.
I'm sure there is something very simple i am doing wrong, can anyone help?
many thanks
Are you "exporting" the .lnk files to the report? If exported to the report you will have a hyper link that will open the file or you may be using a different view to look at the file. Use "native format."