Blog » File Format » Getting Acquainted With LNK File Structure

Getting Acquainted With LNK File Structure

Mariah | November 21st, 2015 | Forensics

LNK is a file extension used for a shortcut file that points to an executable file. It stands for LiNK file and acts as a direct link to an .exe file. This saves the users from navigating to the executable file, thus saving the time of the users. A Windows shortcut LNK file format is denoted by a curled arrow. In the below image, a LNK file of Mozilla Thunderbird is shown.

thunderbird-shortcut

 

This article reflects LNK file structure and the properties associated with the file.

Overview of LNK File

The LNK file consists of the MAC times (times which specify when an event took place) of the target. This includes the timestamp of the target when it was last opened, when the LNK file was created, the access time and the modification time.

Windows Shortcut LNK File Format

The other metadata related to LNK file structure are:

  • The shell item list of the file’s target.
  • The size of the target file when it was accessed for the last time.
  • The volume’s serial number on which the target is stored.
  • Name of the network volume share.
  • Tracking information of the distributed link.

For Windows platform, the signature is 0x4C (4C 00 00 00) at offset 0.

Windows Shortcut LNK File Format

A LNK file consists of a number of sequence of structures that are in accordance with the ABNF rules.

SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO]

[STRING_DATA] *EXTRA_DATA

LNK File Structure

The different sequences are described in detail as under:

  • SHELL_LINK_HEADER

The Shell­LinkHeader structure comprises of information like identification, timestamps, and the flags that are used for signifying the presence of extra structures that include LinkTargetIDList, LinkInfo and StringData.

    • LINKTARGET_IDLIST

The LinkTargetIDList structure of Windows shortcut LNK file format is used for specifying the target of the link to which it belongs. This structure is specified by the HasLinkTargetIDList bit that is present in the ShellLinkHeader. It is made up of two parts:

    • IDListSize: this is of 2 bytes and signifies the size of the IDList field.
    • IDList (variable): This structure that contains the item list of ID.
  • LINKINFO

The LinkInfo structure is used for specifying information in case the link target is not found in its original location. This includes the info about the volume on which the target exe file was stored, the drive letter that was mapped with it, and a UNC path, which was present when the file was created.

  • STRING_DATA

The StringData in LNK file structures are used for conveying information related to user interface and path identification. These structures are specified by the bits present in the ShellinkHeader.

  • *EXTRA_DATA

The ExtraData comprises of structures that are used for conveying additional information about a [articular link target.

The concept of creating links for files and applications originally exists on Mac OS, LNK files are also used for Windows OS on a large level.