Problems understand...
 
Notifications
Clear all

Problems understanding data in a .lnk file  

  RSS
nickfx
(@nickfx)
Active Member

Working a fraud case and am unsure what I'm seeing in a series of .lnk files.

As an example a file references a ppt file at C\work\work\filename. However I can find no reference to the filename on the local machine either live, deleted or even a partial hit from unnallocated.

However in a part of the metadata from the lnk file we have 2 entries-

Relative path ..\..\..\..\..\work\work\filename

Working directory C\work\work

My gut tells me Im looking at a file accessed from a remote system on a network which is possible in this case, but I havent had to consider the 'relative path' before and would appreciate input from the community.

thanks

Nick

Quote
Posted : 19/08/2005 3:35 pm
Andy
 Andy
(@andy)
Active Member

Can you post the full data list? Also have you searched in unicode for the filename?

Andy

ReplyQuote
Posted : 19/08/2005 6:00 pm
keydet89
(@keydet89)
Community Legend

Nick,

Could you provide more information?

Specifically, I'm not following how you can see the working directory on the local hard drive, but think that the file was accessed from a remote system. I'm not following the logic there.

Do you have any information with regards to timestamps? Maybe the file was on the local system, but has been deleted and overwritten to the point where you're not seeing anything in slack/unallocated space.

Also, when you say the path is "C\work\work\", is this an example? Within the relative path (ie, "..\..\..\.."), does that path really show the dots, or is there something else there, some text?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 19/08/2005 6:11 pm
nickfx
(@nickfx)
Active Member

Thanks for the interest guys.

I have to be very careful what I publish here as this is a live case for a corporate client and many file and folder names contain references. However this is what i see

Local Path C\Work\work\2004 Marketing Promotion.ppt
Volume Type Fixed Disk
Volume Serial Number 00AA-CCBB
File size 2242048
Creation time (UTC) 05/03/2004 081229
Last write time (UTC) 04/03/2004 161110
Last access time (UTC) 23/05/2005 073648
File attributes
Archive
Optional fields
Relative Path ..\..\..\Work\work\2004 Marketing Promotion.ppt
Working directory C\Work\work
Target system information
NetBIOS name ********
MAC address 50-72-6f-44-53-31

I can find no existing or deleted 'work' folders and this is only a couple of months ago as you can see. I also can find no other incidence of this ppt file or of the other 24 in the list.

I always worry that Im missing the obvious so if you have an 'obvious' answer dont be afraid to share. I called my buddies at my local Hitech Crime Unit and we are all either having a thick day or are stuck! It is a Friday after all!

Nick

ReplyQuote
Posted : 19/08/2005 7:14 pm
keydet89
(@keydet89)
Community Legend

Nick,

I understand your caution. However, sometimes one needs more information to be able to answer the questions that are posed.

Thanks for posting what you did. I think that with that info, I can point you to what you need, in order to be able to speak confidently about this issue.

Take a look at what you posted, specifically the volume information, the NetBIOS name, and the MAC address. You can use this to tie the path information in the .lnk file to the local system. In addition, you can rule out remote systems by checking locations in the Registry, such as the "Map Network Drive MRU" list, and others (depending upon the specific version of Windows os used).

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 19/08/2005 8:33 pm
nickfx
(@nickfx)
Active Member

That is very helpful, I will get onto that Monday morning. Doing a unicode search I was able to locate a deleted c\work directory that appeared to have contained email. This odd lnk file couldnt be a link to an attachment could it?

thanks for your help

Nick

ReplyQuote
Posted : 20/08/2005 5:06 pm
Share: