Analyzing LNK File and Jump List Artifacts

What Is This?

The "Analyzing LNK File and Jump List Artifacts" skill focuses on the forensic examination of Windows shortcut files (LNK files) and Jump List artifacts to uncover evidence of file access, program execution, and user activity. LNK files are binary files created by the Windows operating system whenever a user interacts with files or applications through shortcuts, most commonly via Windows Explorer or the Open/Save dialog. These files store metadata such as the original file path, file system timestamps, volume serial number, NetBIOS name, and, in some cases, the MAC address of the host system.

Jump Lists, introduced in Windows 7, are a feature of the Windows shell that maintains application-specific lists of recently and frequently used files. Internally, these are stored as custom files (.automaticDestinations-ms and .customDestinations-ms) within the user's profile. Both LNK files and Jump List artifacts persist even if the original target files have been deleted or moved, making them a vital resource in digital investigations.

This skill guides practitioners through using tools like LECmd and JLECmd, as well as manual binary parsing of the Shell Link Binary format, to extract and interpret the information within these artifacts.

Why Use It?

LNK and Jump List artifacts are essential for digital forensics and incident response for several reasons:

• Persistence of Evidence: These artifacts often remain after the original files have been deleted, renamed, or moved, providing a historical record of file access and execution.
• Attribution: LNK files can contain unique identifiers, such as MAC addresses and volume serial numbers, allowing investigators to correlate activity with specific systems and users.
• Timeline Reconstruction: Timestamps and metadata within these artifacts enable the reconstruction of user activity timelines, which is critical for incident response and legal proceedings.
• Program Execution Tracking: Jump Lists, in particular, can reveal which files were accessed by specific applications, helping to determine how malware was launched or sensitive data was exposed.

By analyzing these artifacts, investigators can answer vital questions about what actions were performed on a system, by whom, and when.

How to Use It

Tools and Prerequisites

This skill utilizes open-source tools such as LECmd for LNK file analysis and JLECmd for Jump List analysis. For advanced investigations, manual parsing of the Shell Link Binary format may be necessary.

Analyzing LNK Files with LECmd

LECmd is a command-line tool designed to parse and display the contents of LNK files. Given a collection of shortcut files, LECmd can quickly extract and report metadata.

Example:

lecmd.exe -d C:\Users\alice\AppData\Roaming\Microsoft\Windows\Recent -o output_folder

This command processes all LNK files in the specified directory and outputs the results to output_folder. Key fields to review include:

• Target Path: Original location of the file or application.
• Accessed, Created, Modified Timestamps: Dates and times of interactions.
• Machine ID and MAC Address: Identifiers for the system on which the shortcut was created.
• Volume Serial Number: Useful for tracking usage across removable media.

Analyzing Jump Lists with JLECmd

JLECmd parses Jump List files, which are typically found in:

• C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
• C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\

Example:

jlecmd.exe -d C:\Users\alice\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations -o output_folder

JLECmd will parse each Jump List file, extracting:

• Entry List: Names and paths of files accessed via the application.
• Last Accessed Timestamps: When each file was used.
• Application ID: Identifies the application associated with the Jump List.

Manual Parsing (Advanced)

For situations where automated tools are insufficient or for validation, manual parsing of the Shell Link Binary format may be necessary. This involves interpreting LNK file structures as documented by Microsoft (MS-SHLLINK). Python libraries like pylnk3 or custom scripts can be used.

Example Python code:

import pylnk3

with open('example.lnk', 'rb') as f:
    lnk = pylnk3.parse(f)
    print(lnk.link_info.local_base_path)
    print(lnk.header.creation_time)
    print(lnk.header.access_time)

When to Use It

• Incident Response: When investigating unauthorized access, data exfiltration, or malware execution.
• Digital Forensics: To reconstruct a user's activity timeline, especially when file deletion or anti-forensic techniques are suspected.
• Legal and Compliance Audits: For verifying user actions in regulatory or HR investigations.
• Threat Hunting: To identify suspicious patterns of file access or program execution across endpoints.

Important Notes

• LNK and Jump List artifacts are user-specific and reside in the respective user's profile directories.
• Timestamps within these artifacts are susceptible to manipulation, but cross-referencing with other sources (like the $MFT, USN Journal, or Prefetch files) can improve reliability.
• Not all applications make use of Jump Lists, and not every file interaction creates an LNK file.
• Always use verified versions of tools like LECmd and JLECmd to ensure accuracy in parsing.
• Artifact locations and formats can vary slightly across Windows versions - always verify paths and behaviors on the target system version.

By mastering the analysis of LNK files and Jump List artifacts, investigators gain a powerful capability to uncover hidden evidence of user activity and establish clear timelines in Windows environments.