{"id":192,"date":"2015-11-21T12:50:37","date_gmt":"2015-11-21T12:50:37","guid":{"rendered":"https:\/\/www.acquireforensics.com\/blog\/?p=192"},"modified":"2016-01-27T09:11:49","modified_gmt":"2016-01-27T09:11:49","slug":"lnk-file-format","status":"publish","type":"post","link":"https:\/\/www.acquireforensics.com\/blog\/lnk-file-format.html","title":{"rendered":"Getting Acquainted With LNK File Structure"},"content":{"rendered":"<p>LNK is a file extension used for a shortcut file that points to an executable file. It stands for <strong>LiNK <\/strong>file and acts as a direct link to an .exe file. This saves the users from navigating to the executable file, thus saving the time of the users. A Windows shortcut LNK file format is denoted by a curled arrow. In the below image, a LNK file of Mozilla Thunderbird is shown.<\/p>\n<p><a href=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/thunderbird-shortcut3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-201\" src=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/thunderbird-shortcut3.png\" alt=\"thunderbird-shortcut\" width=\"259\" height=\"242\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>This article reflects LNK file structure and the properties associated with the file.<\/p>\n<h2><strong>Overview of LNK File<\/strong><\/h2>\n<p>The LNK file consists of the MAC times (times which specify when an event took place) of the target. This includes the timestamp of the target when it was last opened, when the LNK file was created, the access time and the modification time.<\/p>\n<p><a href=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/file-type.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-202\" src=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/file-type.png\" alt=\"Windows Shortcut LNK File Format\" width=\"375\" height=\"500\" \/><\/a><\/p>\n<p>The other metadata related to LNK file structure are:<\/p>\n<ul>\n<li>The shell item list of the file\u2019s target.<\/li>\n<li>The size of the target file when it was accessed for the last time.<\/li>\n<li>The volume\u2019s serial number on which the target is stored.<\/li>\n<li>Name of the network volume share.<\/li>\n<li>Tracking information of the distributed link.<\/li>\n<\/ul>\n<p>For Windows platform, the signature is 0x4C (4C 00 00 00) at offset 0.<\/p>\n<h3><strong>Windows Shortcut LNK File Format<\/strong><\/h3>\n<p>A LNK file consists of a number of sequence of structures that are in accordance with the ABNF rules.<\/p>\n<p>SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO]<\/p>\n<p>[STRING_DATA] *EXTRA_DATA<\/p>\n<p><a href=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/properties.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-204\" src=\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/properties.png\" alt=\"LNK File Structure\" width=\"375\" height=\"499\" \/><\/a><\/p>\n<p>The different sequences are described in detail as under:<\/p>\n<ul>\n<li><strong>SHELL_LINK_HEADER<\/strong><\/li>\n<\/ul>\n<p>The Shell\u00adLinkHeader structure comprises of information like identification, timestamps, and the flags that are used for signifying the presence of extra structures that include LinkTargetIDList, LinkInfo and StringData.<\/p>\n<ul>\n<ul>\n<li><strong>LINKTARGET_IDLIST<\/strong><\/li>\n<\/ul>\n<\/ul>\n<p>The LinkTargetIDList structure of <strong><a href=\"http:\/\/www.acquireforensics.com\/services\/computer\/lnk-file-analysis.html\" target=\"_blank\">Windows shortcut LNK file format<\/a><\/strong> is used for specifying the target of the link to which it belongs. This structure is specified by the HasLinkTargetIDList bit that is present in the ShellLinkHeader. It is made up of two parts:<\/p>\n<ul>\n<ul>\n<li><strong>IDListSize:<\/strong> this is of 2 bytes and signifies the size of the IDList field.<\/li>\n<li><strong>IDList (variable): <\/strong>This structure that contains the item list of ID.<\/li>\n<\/ul>\n<\/ul>\n<ul>\n<li><strong>LINKINFO<\/strong><\/li>\n<\/ul>\n<p>The LinkInfo structure is used for specifying information in case the link target is not found in its original location. This includes the info about the volume on which the target exe file was stored, the drive letter that was mapped with it, and a UNC path, which was present when the file was created.<\/p>\n<ul>\n<li><strong>STRING_DATA<\/strong><\/li>\n<\/ul>\n<p>The StringData in LNK file structures are used for conveying information related to user interface and path identification. These structures are specified by the bits present in the ShellinkHeader.<\/p>\n<ul>\n<li><strong>*EXTRA_DATA<\/strong><\/li>\n<\/ul>\n<p>The ExtraData comprises of structures that are used for conveying additional information about a [articular link target.<\/p>\n<p>The concept of creating links for files and applications originally exists on Mac OS, LNK files are also used for Windows OS on a large level.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>LNK is a file extension used for a shortcut file that points to an executable file. It stands for LiNK file and acts as a direct link to an .exe file. This saves the users from navigating to the executable file, thus saving the time of the users. A Windows shortcut LNK file format is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":207,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-file-format"],"_links":{"self":[{"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":1,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/media\/207"}],"wp:attachment":[{"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.acquireforensics.com\/blog\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}