Join Us!

.LNK Files not show...
 
Notifications
Clear all

.LNK Files not showing - Differences between Tools & VMWare  

  RSS
ssstu
(@ssstu)
New Member

Hi all,

Quick question, hopefully someone can shed some light…

Examining a Windows 10 machine and I'm concurrently using EnCase & X-Ways for analysis. I'm also viewing this device within VMware (imaged the device as a .vmdk format).

Interestingly enough, both EnCase & X-Ways only show some .LNK files, but not all as shown within VMware. Does anyone know why this is?

The .LNK files on the Desktop are in relation to installed software on the system that are of significance. In total, 5 .LNK files aren't reported by either EnCase or X-Ways.

Thank you in advance.

Quote
Posted : 29/08/2017 10:28 am
minime2k9
(@minime2k9)
Active Member

Have you identified the actual location of the LNK files in VMWare?
I'm assuming the missing LNK files aren't system items like Recycle Bin
It may be possible that the missing link files are stored somewhere other than the user's desktop.
This often happens when you have LNK files which display for all users on a system.

ReplyQuote
Posted : 29/08/2017 10:34 am
ssstu
(@ssstu)
New Member

"Have you identified the actual location of the LNK files in VMWare?"

I'm a little unsure as to what you exactly mean? These 'missing' .LNK files that are not shown within EnCase & X-Ways are in the Desktop directory which are visible within VMware.

"I'm assuming the missing LNK files aren't system items like Recycle Bin"

That's correct, these are not system items, these are .LNK files in relation to software installed on the machine. (To be more specific, Windows(C) Program Files and/or Windows(C) Program Files(x86))

"It may be possible that the missing link files are stored somewhere other than the user's desktop.
This often happens when you have LNK files which display for all users on a system."

There is only one user on this machine. I haven't found any other of the same missing .LNK files anywhere else on the machine.

?

ReplyQuote
Posted : 29/08/2017 10:50 am
minime2k9
(@minime2k9)
Active Member

"Have you identified the actual location of the LNK files in VMWare?"

I'm a little unsure as to what you exactly mean? These 'missing' .LNK files that are not shown within EnCase & X-Ways are in the Desktop directory which are visible within VMware.

[

So you have a running machine in VMware. You have identified a LNK file on the desktop of the user that is not showing in the Desktop folder in X-Ways or Encase.
Have you tried determining the file path of the LNK file in the virtual machine itself (i.e. right clicking the LNK file and looking at properties)?

Also check C\users\Public\Desktop - are the missing LNK files in this folder?

ReplyQuote
Posted : 29/08/2017 11:09 am
ssstu
(@ssstu)
New Member

Yes, I checked the paths within VMWare and they all resolve back to either Windows(C) Program Files and/or Windows(C) Program Files(x86)).

Nonetheless, after filtering through X-Ways in regards to possible .LNK locations, I can see that these .LNK are actually stored on the default account 'Public' (omitted this default account from original consideration).

So you were right. I tip my hat off to you, thank you 8)

ReplyQuote
Posted : 29/08/2017 11:23 am
minime2k9
(@minime2k9)
Active Member

Just for future reference, the program files path shown will relate to the file being linked to.
One of the other tabs shows the actual location of the LNK file.
Glad you've found them anyway.

ReplyQuote
Posted : 29/08/2017 12:38 pm
Share: