DFIR Review

Windows 10 Jump List and Link File Artifacts - Saved, Copied and Moved

0
Updated

Research

White papers
  • DFIR Review
  • Jumplists
  • Lnk
  • Windows

Windows users can create shortcut files on the systems they use. A shortcut file is a small file which has information used to access or point to another file (Lee, FOR500 Windows Forensic Analysis Textbook, Volume 3 Core Windows Forensics II: USB Devices and Shell Items 2018, 8). Shortcut files are most often referred to as Link files by forensic analysts based on their .lnk file extension. In addition to user created LNK files, the Windows operating system automatically creates LNK files when a user opens a non-executable file or document. Windows creates these LNK files on a frequent basis and their creation is performed in the background without the explicit knowledge of the user. Within a LNK file, Windows records several pieces of information about the target file of which the LNK file is designed to access (13Cubed 2017). Some of these pieces of information include:

Attachments

  • File Description
    File Size
    File Type
    Downloads
  • Windows 10 Jump List and Link File Artifacts - Saved, Copied and Moved
    335 KB
    20