LNK File
LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier.
Location
Most of LNK-files are located on the following paths:
Windows 7 to 10
Windows XP
Other location
However, there many other places where investigators can find LNK files:
Windows Vista, 7, and 2008
Windows XP and 2000:
Tools
Lnkanalyser – Mark Woan
Using the Link File Parser in EnCase
Windows Artifact Parser -> Link files
Case Analyzer to analysis
Link files can be stored in RAM memory and the OS writes volatile data that is not currently in use to swap file (pagefile.sys)
In Windows XP/Vista/7, if the system is placed into hibernation or hybrid sleep, the contents of RAM are written to the hiberfil.sys file
The swap file is configured to adjust in size. While this adjustment occurs, clusters that were formerly allocated to the swap file find themselves in unallocated space, therefore you should parse for link files in the unallocated spaces.
Last updated
