I was working with linkfiles (Desktop, SendTo, Start menu etc.) and saw the same fileheader in all .lnk files
4c0000000114020000000000c000000000000046h
Is this the one and only fileheader for all .lnk files (if so, I can use it to carve and search). There's not much information about the fileheader on the internet (I did read
http//www.forensicfocus.com/link-file-evidentiary-value
http//
)
Stamitz
If you re-read the second link that you provided…page 2 and an understanding of file signatures answers your question.
HTH,
Harlan
Thanks keydet89
Jesse Hager mentions 0000004Ch as the file header and the rest (0114020000000000c000000000000046h) as the unique identifier GUID of the shell links.
this is also what i see with all of the linkfiles on my Win XP
So, I can carve or search for this hex string !
Stamitz
Stamitz…
Please be sure to read the second half of what I said…
"…an understanding of file signatures…"
H
Thanks, i'll keep on learning every day …
Thanks, i'll keep on learning every day …
We all do. That is the addiction of forensics. ) ?? ( ??
I'm still study the topic of link files. On keydet89's site I found a great article about the MAC times in link files
http//
With Encase I also found out that the "creation" time didn't change. I wonder if I can rely on this now or is this very risky ?
Look here
http//
This might help.
Yep, I know the document of Jesse Hager. But it doesn't tell if the MAC times (those related to the file it represents, offsets 28 - 51) will stay the same, whatever happens with the shortcut or file it represents.