This may be an elementary question, but….
When a link file is created by a user, that link file 'should' be found in the common area for these files; <user>\AppData\Roaming\Microsoft\Windows\Recent\ correct?
I know there are link files found in other common areas
..\office\recent\ (office related links)
..\real\realplayer\history\ (real player related links)
But what if I am finding a link file in a public profile several folders deep below the folder the link file points too… if a user clicked on that folder, I would expect the link file to be created in the ..\windows\recent\ folder for the profile that clicked the folder, right?
Is there shenanigans going on here? Why are these link files found in these locations?
Why are these link files found in these locations?
As you have not provided any information about what folders are involved, or if any specific application are involved, etc, it is clearly a research question. You have to find the executable that creates the shell links, or reads them, and figure out in response to what stimuli that happens, and for what purpose.
I know that some installation packages can be instructed to create such links on installation … though if that's what happened here, I clearly can't say without further information. If so, it could be a cut&paste issue a standard template for installation may have been used, and the user just left 'create this shell link' in the template because he thought it might be the right thing to do for some reason. Usually lack of competence.
Is there any particular reason why 'application specific behaviour' may be the wrong answer?
Or 'user mistake'? I've created shell links in the wrong directory more times that I remember just because I got confused over what Explorer window I was working in. In such cases, though, there's often another shell link pointing to the same target directory somewhere else.
Or perhaps some command line utility? If you're using Cygwin (as I am), you can make 'ln -s' create shell links if you set $(CYGWIN) to contain "winsymlinks" or "winsymlinkslnk" – which is quite convenient. Again, you can easily create links in the wrong directory, if you lose track of where you are, or are accustomed to Unix window behaviour (focus when cursor enters windows), rather than Windows (focus when window is on top).
I don't use Windows 10 so I don't know if the bash environment provides 'ln -s'. The old POSIX environment for Windows did, so that's another technical possibility. (Or do I misremember?)
Shell links are not only links to file system targets though, they're also storage containers you can use the ExtraData space to store information that need not be directly related to the link functionality, and as long as you (added do not) expose the link, it may not cause any problem. On the other hand, those are easy to identify.
Is there shenanigans going on here? Why are these link files found in these locations?
Unknown to both…not enough info was provided.
Windows OS/version?
What were the folder paths, explicitly? What application was involved?
Thanks for the responses, I'll try to provide the information needed for you to better help me.
It's a CP case.
OS is Windows 7 Home Premium
Without revealing too many specific folder names I'll do my best to lay out what I'm seeing
In the Public profile there is the following path
Public\music\sample music\incomplete\New Folder\folder a\folder b\folder c\folder d\folder e\folder f\folder c.lnk
The volume name and serial number for the volume from the link file match the volume name and serial for the partition it is on. The link file was created in 2011. about a month after the folder it's linked to was created.
There are also other link files in Folder f that point to folders higher in this path.
I'm not as confused as to why or how the link file got created as I am about it's location. I know a user can create link files, but it doesn't make sense to me that someone would make this one (or any of them, here…) as mentioned, they may have done it mistakenly.
But, in the normal course of links files being created, this would not be the expected location would it?
Public\music\sample music\incomplete\New Folder\folder a\folder b\folder c\folder d\folder e\folder f\folder c.lnk
Interesting.
I'd look over the available applications that access these folders – music management software, music playing software, perhaps even music recording/ripping software – and see if anything allows user operations that result in links being created.
Perhaps there's something like 'create a playing list' that, for some kinds of 'add everything in this directory' or 'merge these playlists' creates these links. Just a wild guess.
That would be a kind of 'natural' explanation the user (users?) is doing something that just happen to be implemented by shell link files. But he never views the directories in Explorer, only through … whatever tools are present.
… it doesn't make sense to me that someone would make this one (or any of them, here…) as mentioned, they may have done it mistakenly.
Or unwittingly.
But, in the normal course of links files being created, this would not be the expected location would it?
That is a very difficult question to answer. 'normal' is a statistical term, and 'expected' is also closely connected to statistics – but without such statistics to start from, there is no good answer.
It's not a place where I would expect a user create a link by hand, particularly not to a higher level directory.
But if these links are only to be found in these music directories, any software related to these folders should be examined perhaps it makes better sense when you look at the folders through some music player?
(Added if it was my system, thse links would have been added by hand. I would probably have discovered that 'this software uses shell links', and wondered 'is it smart enough to discover a link that creates a recursive structure? Can I crash it that way, as it tries to follow the link round and round and round?' But I'm kind of weird that way …
If the user does programming or something like that (bug hunting? security researchers can have some really weird stuff in forgotten directories on their systems) , that kind of experimentation just might be another solution. However, I would not leave such links to mess up my real music library in any way, so it doesn't seem too likely.)
Excellent points I will explore. Thanks again! I know Real Player was used to access the public profile from the suspects profile - and I have all the lnk files it created.
But I can tell you the folders are not being used for music (No MP3 files) Lots of JPG's and MPG's (and not the good kind) although I will add these folders are rather specifically named and cataloged. I have artifacts to support P2P software has been in use, TOR, Team Viewer, Skype, kinda the who gamut of these types of programs. I suspect some sort of bulk down loader for some of these as well based on the file creation dates matching
It's near the end of the case though and I am just trying to polish off a few follow up questions from the case agent.
And again, just trying to understand what I think should be kinda elementary about these link files, but I guess it's never that simple is it…
Again thanks for the help!
That's fairly common, I've seen it several times A typical evasion tactic against UI/usability concepts that people employ for various reasons, especially if they are not particularly computer savvy.
For example, if the suspect accesses the contents by going through a certain browsing scheme (selecting the film for tonight…) that, if your reach the bottom, requires this jump upwards every time (you want to watch a film tonight), then it is actually quite convenient.
But there's also a good chance that the Explorer configuration in this case doesn't show the Navigation Pane. Some people don't like it, some switch it off unintentionally and don't know how to bring it back, don't find the level-up button instead etc. Some people aren't even aware of a hierarchy of folders, they just put objects into 'frames' and link everything with everything to switch between them.
I find Lnk files within the common User Folders or even the root to be more user generated.
Lnk files within Program Files, AppData, or possibly Public to be more application generated.
I would check CMA dates and see what dates come up. Any differences may indicated user interaction.
Lets say, Real Player contains a playlist or lnk files within Real folders. I would say that said artifacts indicate the Real Player application for viewing said files.
I found playlist files that spelled everything out. Indicating the suspect downloaded the files and viewed them.
The volume name and serial number for the volume from the link file match the volume name and serial for the partition it is on.
This is as would be expected, so we're good at this point…
I'm not as confused as to why or how the link file got created as I am about it's location. I know a user can create link files, but it doesn't make sense to me that someone would make this one (or any of them, here…) as mentioned, they may have done it mistakenly.
I've seen a lot of things in 20 yrs of DFIR work that don't make sense to me. I've always tried to do my best to follow the data that I had available, and rather than speculate in an attempt to fill the gaps, simply identify the gaps.
When I was active duty military, I saw people do things that didn't make any sense to me. Even today, I see/hear of people doing things that make absolutely no sense to me. Someone will say that they don't want to be in "state X", but will take actions that will immediately place them in that state.
I would suggest that the best approach would be to create a timeline and try to determine what occurred around that time, in order to possibly discern how the LNK files were created. This may possibly lead to the why, as well.
