CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

LNK Shortcut Files

Introduction

Windows automatically creates shortcut files (.LNK) whenever a user opens a document, application, or folder. These files record file locations, access times, drive information, and original paths, even if the originals were deleted or on removable media.

In digital forensics and CTF challenges, analyzing .LNK artifacts can reveal:

  • File or flag names previously opened by a user
  • The original storage device or network share a file resided on
  • When specific files were accessed (creation / modification / access times)
  • Links between user actions and $J journal or registry entries

Tools

Tool Purpose
LECmd Parse .lnk files to CSV, extracts metadata, timestamps, and linked paths

Typical Locations

Location Purpose
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ User shortcut cache (recent files)
C:\Users\<user>\Recent\AutomaticDestinations\ Jump Lists (binary .lnk containers)

Using LECmd

# Parse all recent shortcut files
LECmd.exe -d "C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent" --csv "out/"

Resulting CSV fields include:

Column Meaning
SourceFile Path of the .LNK parsed
TargetFile File or folder linked to
MachineID Host where the .LNK was created
VolumeSerialNumber Serial of the drive that contained the original file
OpenedTime / AccessedTime / ModifiedTime / CreationTime Timeline metadata useful for correlation