I am working on a case, and I found a potentially interesting file similiar to "Search Results in Computer.lnk" and Search Results in Data (D).lnk". It seems to contain a search term, "Search Results in 0 pedo.lnk". The file was overwritten, so the only details I have are from the MFT.
It is a Windows Vista SP2 image.
I know I have seen these before, but my test VM doesn't have any of these, and try as I might, I can't get it to create one.
I've tried searching (from the start menu and the search box), I've tried saving a search, adding saved search to the sidebar. Nothing so far.
Any background information or guidance would be greatly appreciated.
I'm confused on what the question is.
My apologies if I wasn't clear enough.
Within the Recents folder, there is a file "Search Results in 0 pedo.lnk. (Along side the default "Search Results in Computer.lnk, etc")
My question is, does anyone know how that got there? I have tried several things, listed above, and none of them have reproduced anything like it thus far.
So, any help or guidance on when/how these .lnk files are created, I'd be grateful.
I got so hung up that 'pedo' was the keyword searched for. I didn't consider could be the location.
So, I tried creating a folder named 'pedo', and I created a folder named 'pedo', and tried searching in there. Both using the Windows Explorer search box, and the Advanced search that I accessed via the Start Menu.
Still no luck. I am completely out of ideas.
I have tried testing this -
search a folder for a search term which you know will have a hit,
open a hit
the check your Recent
I did this and searched in MyFolder and I found a lnk file named "Search Results in MyFolder.lnk"
I suspect the link file is only created once you access a file that is in the search results.
H
Oh, that looks promising. I did not try that, the clicking part. I just did the searches. If this is true, it's even more incriminating for the suspect. I shall test this monday and let you know.
Unfortunately, if I recall, the link file is overwritten, so all I have is the name. But if I could recreate what the results were for some of the other ones (My computer, indexed locations, etc) that would be awesome.
Thanks for the lead.
I tested it. You were exactly right. Thank you very much.
Try a keyword search for it to see if you can find the link file in unallocated. Worth a shot. Refer to the Meaning of LIFE (Link Files in Forensic Examinations document. This will help you find more data about the link file if you find it in unallocated.
Regards,
Chris