Recovering Original Document from LNK File
I am carrying out a Mock forensic case as part of training and we've been given a mock case to work on. I am very interested in retreiving 2 files. They are both .LNK files. I am wondering is there a way of retrieving the original documents from the .LNK files?
I have a forensic suite of tools to help me which includes EnCase, Magnet Flavours (IEF, Axiom Process, Axiom Examine)
I also have Registry explorer as well as FTK Imager & Autopsy.
Link files are simply a reference to the file, but they do not contain the file.
You can get the path to the original file but not the actual content. Remember lnk files are shortcut files.
The best resource on lnk files https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf