LNK stands for LiNK. Shortcut files are used as a direct link to an executable file, instead of having to navigate to the executable. LNK files contain some basic properties, such as the path to the executable file and the “Start-In” directory. Jan 09, 2015 Copy-Item $sourcepath $destination ## Get the lnk we want to use as a template $shell = New-Object -COM WScript.Shell $shortcut = $shell.CreateShortcut($destination) ## Open the lnk $shortcut.TargetPath = “C: path to ew exe.exe” ## Make changes $shortcut.Description = “Our new link” ## This is the “Comment” field $shortcut.Save ## Save.
LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier.
Jan 21, 2018 1) Connect USB to Mac and open it. 2) Go to search box on top right and press space bar once. 3) By default search will be highlighted at searchthis mac, click on the USB name beside that. 4) Press + sign at right hand side beside save option. Oct 15, 2020 You can quickly navigate to the desktop on your Mac by pressing a keyboard shortcut, by swiping the trackpad using a specific gesture, or by creating your own customized shortcut. Doing so will reveal your desktop. LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file. LNK stands for LiNK. Shortcut files are used as a direct link to an executable file, instead of having to navigate to the executable. LNK files contain some basic properties, such as the path to the executable file and the “Start-In” directory. LNK files use a curled arrow to indicate they are shortcuts, and the file extension is hidden (even after disabling “Hide Extensions for Known.
Fig.1. Windows Desktop Shortcuts
Location
Normally, most of LNK-files are located on the following paths:
- For Windows 7 to 10: C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent
- For Windows XP: C:Documents and Settings%USERNAME%Recent
However, there many other places where investigators can find LNK files:
- On the desktop (such shortcuts are usually created by users to secure quick access to documents and apps)
- C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent (for Microsoft Office documents on Windows 7 to 10)
- C:Users%USERNAME%Downloads (Sometimes users send shortcuts via e-mails to other users instead of the documents to be delivered. Consequently, other users download those shortcuts. Again, this is for Windows 7 to 10)
- Startup folder
- Etc.
Fig.2. Shortcuts Found in the Recent Folder as shown by Belkasoft Evidence Center
Contents of Shortcuts
Before Microsoft published the information about the format of LNK files, researchers had tried to describe the format by themselves. The complexity of such research is that the different shortcuts contains different data. Correspondingly, when you analyze one shortcut type, the contents and amount of data may be different than when analyzing another shortcut type. Besides, in Windows 10, new fields are present that cannot be found in earlier versions.
So, what kind of information does a LNK file contain? Belkasoft Evidence Center digital forensic software displays the following three sections with data related to LNK file: 'Metadata', 'Origin', and 'File'.
Fig.3. 'Metadata' Section Contains Multiple Details About a Target File
The most important data displayed by the 'Metadata' Section include:
- Source path of a file and its time tags (Full path, Target file access time (UTC), Target file creation time (UTC), Target file modification time (UTC))
- Drive type
- Volume serial number (Drive serial number)
- Volume label
- NetBIOS name
- Target file size (bytes), i.e. the size of the file with which the shortcut is associated
As you can see, such fields as 'Droid file' and 'Birth droid file' can be found. DROID (Digital Record Object Identification) is the individual profile of a file. This structure (i.e. that of a droid file) can be used by the Link Tracking Service in order to determine whether the file has been copied or moved.
Fig.4. 'Origin' Section Tells Where Selected Artifact Was Extracted From
Fig.5. 'File' Section Shows File System Metadata of a LNK File
In the 'File' section you can see the MAC-address of the device on which this shortcut was created. This information may help you identify the device associated when the LNK file was created.
While conducting an investigation, one should pay attention to the time tags of a LNK file. The reason for that is that, as a rule, the time of file creation corresponds either to the time the file was created by a user or to the time of the first file access event associated with a shortcut. As for the time modification time, it normally corresponds to the last file access event associated with a shortcut.
File Recovery
If one examines the 'Recent' folder described above, up to 149 LNK files will be found there. What should be done, if the shortcut we need was deleted? The answer is simple: for sure, it should be recovered! Recovery of LNK-files can be executed with the file header signature, hex: 4C 00 00 00.
In order to specify the file header, one should start with the program menu: 'Tools'—'Options'. Then the 'Carving' tab is needed. Click on 'Add' button to create a new signature. You can learn about the carving methods with Belkasoft Evidence Center in greater details in the article 'Carving and its Implementations in Digital Forensics'.
Fig.6. Adding a Custom Signature (Header)
Using LNK Files with Information Security Incidents
Compromising an Attacked System
How Can You Open And Edit Windows .lnk Shortcut Files?
Over 90% of malware is distributed via e-mails. Normally, malware e-mails contain either a link to a network resource or a specifically designed document. If such a document is opened, malware will be downloaded to a machine.
Likewise, LINK files are used for hacking attacks.
Fig.7. 'Metadata' Section Associated with a Malicious LNK file
Shortcut Lnk Mac Download
The general rule is that such a LNK file contains a PowerShell code which is executed when users try to open the shortcuts previously sent to them. As you can see in Fig.7, such shortcuts can be easily detected with Belkasoft Evidence Center: there is a path to an executable powershell.exe in the metadata. In the 'Arguments' field, there are arguments of a PowerShell command and encrypted 'payload'.
Embedding in a Compromised System
One of the methods to use LNK files is to embed them in a compromised system. In order to activate malware whenever a corresponding machine is turned on, the following trick can be utilized. A LNK file with a link to an executable malware file (for example, to a file with the loader code) should be created, a shortcut is to be placed at the following address: C:Users%User profile%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup.
In this case, as soon as a machine is launched, the malware will be activated as well. Such shortcuts can be found in the 'File system' tab of Belkasoft Evidence Center.
Fig.8. 'PhonerLite.lnk' Shortcut in Startup
Conclusion
LNK files are Windows system files which are important in a digital forensic and incident response investigations. They may be created automatically by Windows or manually by a user. With the help of these files you can prove execution of a program, opening a document or a malicious code start up.
Belkasoft Evidence Center can help you to locate existing LNK files, recover deleted ones and help to analyze their contents.
See also
File TypeWindows Shortcut
| Developer | Microsoft |
| Popularity | |
| Category | System Files |
| Format | Binary |
What is an LNK file?
An LNK file is a shortcut or 'link' used by Windows as a reference to an original file, folder, or application similar to an alias on the Macintosh platform. It contains the shortcut target type, location, and filename as well as the program that opens the target file and an optional shortcut key. The file can be created in Windows by right-clicking a file, folder, or executable program and then selecting Create shortcut.
LNK files typically use the same icon as their target file, but add a small curled arrow to indicate that the file points to another location. When double-clicked, the shortcut acts exactly the same way as if the user clicked the original file.
LNK files with shortcuts to a program (.EXE file) can specify attributes for how the program runs. To set the attributes, right-click the shortcut file, select 'Properties,' and modify the Target field.
Windows do not display the .lnk file extension for file shortcuts even when the 'Hide extensions for known file types' folder viewing property is unchecked. While not recommended, you may enable the file extension to be displayed by deleting the 'NeverShowExt' property within the HKEY_CLASSES_ROOTlnkfile Windows registry entry. To do so, follow these instructions:
- Open 'Registry Editor' by typing 'regedit' in the taskbar search box and selecting the program.
- Navigate to the ComputerHKEY_CLASSES_ROOTlnkfile location in the program.
- Create a backup of the key by right-clicking 'lnkfile' and selecting Export (you can use this to restore your key in case of an error).
- Select the 'NeverShowExt' property and delete it.
- Restart Windows.
Read more about Windows shortcuts in the FileInfo.com Help Center.
Shortcut.lnk Mac
NOTE: Changes to the LNK file association may cause your Windows desktop icons to unexpectedly change or disappear. You can visit the Help Center for instructions on how to fix your Windows icons.
Open over 300 file formats with File Viewer Plus.Programs that open LNK files
Comments are closed.