At present i have discovered some link files in the Axxxxx.lnk format within system restore folders.
the files these relate to are still on the drive in a potentially incriminating position however the original link files that the system restore relates to are not.
Viewing a lnk file in EnCase's link parser usually allows you to map back to the application that created the original application. This information isnt obvious in the restore point lnk file.
Logic would say if it is there for restore purposes then there must be a way of restoring that lnk file to what ever application or MRU it belongs to but i just cant see it or find any reference to the structure of this particular type of restore point file to allow me to parse it manually and meaningfully.
Any thoughts/suggestions greatfully accepted
The link file should parse in the normal way.
The restore point folder that your link file is in will have a changelog file that details the original link file name and path. If you use Encase there are some good scripts available to parse this information, however enough of changelog is in plain text to do it manually.
HTH
Richard