During the course of a forensic investigation, an investigator may find that they want to locate artifacts related to recently accessed or deleted files on a Windows machine. If this is the case, then it would be necessary to analyze the LNK shortcut files. Analyzing LNK shortcut files have proven to be a consistent and reliable method for determining if a file had been accessed by a user and at what time that access had occurred. (Frazer, 2020) While this information can often be found in additional locations, LNK files are able to provide an investigator with additional context and metadata regarding a recently accessed file. There are many types of investigations where LNK file artifacts are relevant. For example, a file executed from a removable thumb drive may not show up in a disk image capture, but a LNK file will have been created upon opening the file with a corresponding program. LNK files can be especially valuable when looking for evidence that a suspect had been accessing files on other drives. (Cowen, 2013)
Overview of LNK Files
LNK files are Windows-created files with a .lnk extension which function as shortcuts that link to a file. LNK files are extremely common and innocuous, although they are often valuable artifacts during a forensic investigation of a Windows system. (McQuaid, 2014) These files are automatically created by the Windows operating system whenever a file is accessed from a corresponding application. It is important to keep in mind that these files can also be created manually. Technically, files with a .lnk extension, or LNK files, are classified as Shell Items. It is not uncommon for attacks to utilize LNK files as an attack vector. The most famous example of this was the Stuxnet worm. (Symantec Threat Engineering Team, 2019) Shell Items are binary formatted files that can be used to access objects in the Windows Graphical User Interface (GUI). Forensic investigators may use LNK file shortcuts to obtain metadata and timestamps regarding various files included recently accessed and deleted files. (Frazer, 2020)
LNK files additionally have the potential to be abused and subsequently utilized in an attacker’s methodology. In a blog post from 2017, Benson Sy, a Threat Analyst at TrendMicro, published a blog post outlining how cybercriminals have been seen executing PowerShell scripts via Windows LNK shortcut files. The blog post additionally states that LNK files were seen being utilized as an attack vector as early as 2013. Graphical diagrams of unique LNK attacks can be seen in both Figure 1 and Figure 2. (Sy, 2017)
Figure 1: A LNK-PowerShell Attack. (Sy, 2017)
Figure 2: A Second LNK Attack. (Sy, 2017)
Stuxnet
One of the most famous examples of an attack that leveraged a LNK exploit would be the Stuxnet worm. The Stuxnet worm, which was discovered in 2010, had ravaged the nuclear centrifuges at the Natanz uranium enrichment facility located in Iran. (Zetter, 2014) The complex Stuxnet malware included various zero-day (newly discovered) exploits. The LNK exploit involved a maliciously crafted .lnk file which was insecurely processed as Windows Icons were displayed. This allowed attackers to execute shellcode on vulnerable Windows machines. The vulnerability was entitled LNK vulnerability (CVE-2010-2568). This vulnerability was supposedly patched by Microsoft in 2010 but was later revealed that the patch did not in fact mitigate the risk associated with this CVE. (Mimoso, 2017)
Related Artifacts
LNK files are often relevant artifacts during an investigation. In a blog post for Magnet Forensics, Jamie McQuaid provides a list of common artifacts which should be inspected during a LNK file analysis which includes:
1. The original path of the file
2. MAC times of the LNK file and the Target file it provides a shortcut to
3. Information about the volume and system where the LNK file is stored (volume name, the serial number, NetBIOS name, and MAC address of the host where the linked file is stored)
4. Network details if the file was stored on a network share or remote computer
5. File size of the linked file (McQuaid, 2014)
This information may be relevant or not depending on what type of investigation is taking place. LNK files may provide the investigator with evidence that a file had been present on a system, even if it was deleted prior to the investigation. Additionally, LNK files may also be present for any files accessed from removable media like a thumb drive. In this scenario, the LNK shortcut to the file may still exist with relevant data regarding file creation, modification, and access times. LNK shortcut files also contain information about where the file was originally stored, and the system storing it. For example, the MAC address of the source computer is contained within the LNK shortcut file, and this is often a valuable artifact.
How LNK File Artifacts Are Recorded
Windows systems running Windows 95 or later create LNK files whenever a user accesses a file with a supported application. (Cowen, 2013) LNK files can also be created manually and have been seen as being utilized by malicious threat actors. When a LNK shortcut is created, it contains metadata regarding the file which had been accessed. “LNK shortcut files typically contain metadata about the accessed file, including the file name and size, the original path, timestamps, volume and system information (ex. drive type and system hostname), and network information (ex. network share path).” (Frazer, 2020)
How LNK File Artifacts Are Stored
LNK files are stored on the Windows file system. Newly created LNK files by default are created in the following directory:
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ directoryLNK files have the same file name as the file they are linking to, although they have a .lnk file extension. (Cowen, 2013) LNK files can be recovered through a traditional hard drive image, or through a custom content image where directory storing the LNK files is selected. (Sy, 2017) When the LNK file is created, it contains the following information:
1. The full file path of the file in question.
2. The type of drive that the file is being accessed from.
3. The file-size in bytes.
4. The volume name and serial number of the drive hosting the file.
5. The MAC address of the system where the file is stored.
6. Date information related to file creation, modification, and access.
7. Date information related to the LNK file shortcut’s creation, modification, and access. (Cowen, 2013)
Analysis of LNK File Artifacts
There are a wide variety of digital forensics tools that implement LNK file parsing functionalities. Some of these tools are enterprise-level forensic suites such as AccessData’s FTK. Others such as Eric Zimmerman’s LECmd are Open Source and freely available online. These tools are able to parse LNK files and the artifacts contained inside of them. Specifically, Magnet Forensics Internet Evidence Finder (IEF) is able to parse LNK shortcut files and then display them in a more easily readable format. (McQuaid, 2014) LNK files are most easily obtained by filtering for files with a .lnk extension. (Cowen, 2013) The LNK files which are associated with a user’s profile can be found at:
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ (Sy, 2017)
A sample LNK shortcut being viewed with IEF can be seen in Figure 5. FTK is able to parse LNK shortcut files, and it will even present what it determines to be the most relevant artifacts first. (Cowen, 2013)
Useful tool: LECmd
Eric Zimmerman is a SANS instructor who frequently releases extremely useful digital forensics tools. LECmd is a tool used to explore LNK files from the command line interface. The tool can be located at https://github.com/EricZimmerman/LECmd. The tool processes LNK files from a specified directory and outputs the information located in CSV, HTML, XML, or JSON format. (Zimmerman, 2016) The XML output of LECmd can be seen in Figure 3. The HTML output of LECmd can be seen in Figure 4. The Open Source such as the tools provided by Eric Zimmerman allows for investigators to work on implementing artifact processing automation. This potentially saves time and resources during the course of a forensic investigation.
Figure 3: XML output of LECmd. (Zimmerman, 2016)
Figure 4: HTML output of LECmd. (Zimmerman, 2016)
The information found in Figure 5 is produced by Magnet Forensics IEF by its ability to parse LNK files. By default, LNK shortcut files are not in an easily readable format. The same LNK file which can be seen in Figure 3, can be seen within a hex editor in Figure 6. Additionally, Figure 6 shows that the file is much less valuable prior to having the relevant artifacts parsed. In addition to commercial tools like IEF and FTK, there are Open Source solutions such as Eric Zimmerman’s LECmd which is freely available and can be implemented in automation. Regardless of how artifacts are parsed form LNK files, it is a necessary step during many investigations.
Figure 5: LNK file viewed in IEF. (McQuaid, 2014)
Figure 6: The same LNK File from Figure 3 viewed in a Hex Editor. (McQuaid, 2014)
LNK Files contain up to six different timestamps which an investigator may find useful. The LNK file itself contains timestamps for file creation, file access, and file modification. Similarly, the file contains information regarding the target file’s creation, access, and modifications dates. The modification timestamp for the LNK file will provide insight into when the file was last accessed on the system in question, and the LNK file creation timestamp will tell you when the file was first accessed on the system in question. (Cowen, 2013)
Conclusion
LNK files are forensic artifacts that are often relevant during the course of an investigation. LNK files are shortcut files that are created by Windows on systems running Windows 95 and later. (Cowen, 2013) The contents of a LNK file by default is not all that useful, but when parsed by a tool such as Magnet Forensics IEF or AccessData FTK, the LNK file provides additional information such as the modification and creation times, the target storage location, information regarding the NetBIOS and MAC address of the source computer, and metadata related to the target file. (McQuaid, 2014)
LNK files prove to be invaluable when attempting to determine the time of file access on a file that had been then been deleted. (Frazer, 2020) LNK files contain six relevant timestamps, the creation, access, and modification timestamps for the LNK file itself, and the creation, access, and modification timestamps for the file it is providing a shortcut to. Clearly explaining timestamps retrieved from LNK files, makes it easier to explain when and where a file was located and accessed from. Even if the file was located on an external storage device. (Cowen, 2013) The Open Source tools provided by the forensic community and specifically Eric Zimmerman provide investigators with tools that can lead to automated artifact processing.
References
Cowen, D. (2013). Computer Forensics. New York, New York, United States of America: McGraw Hill.
Frazer, A. (2020, February 19). The Missing LNK — Correlating User Search LNK files. Retrieved from fireeye.com: https://www.fireeye.com/blog/threat-research/2020/02/the-missing-lnk-correlating-user-search-lnk-files.html
McQuaid, J. (2014, August 6). Forensic Analysis of LNK files. Retrieved from magnetforensics.com: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
Mimoso, M. (2017, April 20). Stuxnet LNK Exploits Still Widely Circulated. Retrieved from threatpost.com: https://threatpost.com/stuxnet-lnk-exploits-still-widely-circulated/125089/
Sy, B. (2017, May 25). A Rising Trend: How Attackers are Using LNK Files to Download Malware. Retrieved from trendmicro.com: https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/
Symantec Threat Engineering Team. (2019, September 2). LNK: A perfect vector for living-off-the-land attacks. Retrieved from medium.com: https://medium.com/threat-intel/lnk-files-living-off-the-land-11c1e2218dc2
Zetter, K. (2014, November 03). An Unprecedented Look at Stuxnet, the World's First Digital Weapon. Retrieved from wired.com: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
Zimmerman, E. (2016, February 16). LECmd v0.6.0.0 released! Retrieved from binaryforay.blogspot.com: https://binaryforay.blogspot.com/2016/02/lecmd-v0600-released.html