About 1,100 LNK files were found on a shared computer. Â About 800 appear to be pornographic images, and some may be CP based on filename. Â The images are deleted, overwritten and unreadable. Â It is a Win7 machine.
What appears odd (to me) is that the LNK files are missing the three file timestamps. Â The timestamps are present for the creation of the LNK file itself, and all three timestamps are the same. Â Why are the file timestamps missing? Â Because the file was deleted?
Also, I thought I found this on the Microsoft site but cannot repeat my find.  In Win7, does the LNK file get created when the file is downloaded/created, or when the file is first accessed?  The reason I ask this is there were a massive amount of pornographic images found (overwritten and unreadable) on a second drive, but there isn’t a single LNK found that suggests anyone ever accessed a single file.  I’m trying to figure out how they got there, as it appears no one ever knew they were there.
Â
Thanks!!
This of any use? (sounds similar to what you might be looking at)
https://www.mandiant.com/resources/the-missing-lnk-correlating-user-search-lnk-files
