±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35745
New Yesterday: 5 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Problems understanding data in a .lnk file

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

nickfx
Senior Member
 

Problems understanding data in a .lnk file

Post Posted: Aug 19, 05 14:35

Working a fraud case and am unsure what I'm seeing in a series of .lnk files.

As an example a file references a ppt file at C:\work\work\filename. However I can find no reference to the filename on the local machine either live, deleted or even a partial hit from unnallocated.

However in a part of the metadata from the lnk file we have 2 entries:-

Relative path: ..\..\..\..\..\work\work\filename

Working directory: C:\work\work

My gut tells me Im looking at a file accessed from a remote system on a network which is possible in this case, but I havent had to consider the 'relative path' before and would appreciate input from the community.

thanks

Nick  
 
  

Andy
Senior Member
 

Re: Problems understanding data in a .lnk file

Post Posted: Aug 19, 05 17:00

Can you post the full data list? Also have you searched in unicode for the filename?

Andy  
 
  

keydet89
Senior Member
 

Re: Problems understanding data in a .lnk file

Post Posted: Aug 19, 05 17:11

Nick,

Could you provide more information?

Specifically, I'm not following how you can see the working directory on the local hard drive, but think that the file was accessed from a remote system. I'm not following the logic there.

Do you have any information with regards to timestamps? Maybe the file was on the local system, but has been deleted and overwritten to the point where you're not seeing anything in slack/unallocated space.

Also, when you say the path is "C:\work\work\", is this an example? Within the relative path (ie, "..\..\..\.."), does that path really show the dots, or is there something else there, some text?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

nickfx
Senior Member
 

Re: Problems understanding data in a .lnk file

Post Posted: Aug 19, 05 18:14

Thanks for the interest guys.

I have to be very careful what I publish here as this is a live case for a corporate client and many file and folder names contain references. However this is what i see:

Local Path C:\Work\work\2004 Marketing Promotion.ppt
Volume Type Fixed Disk
Volume Serial Number 00AA-CCBB
File size 2242048
Creation time (UTC) 05/03/2004 08:12:29
Last write time (UTC) 04/03/2004 16:11:10
Last access time (UTC) 23/05/2005 07:36:48
File attributes
Archive
Optional fields
Relative Path ..\..\..\Work\work\2004 Marketing Promotion.ppt
Working directory C:\Work\work
Target system information
NetBIOS name ********
MAC address 50-72-6f-44-53-31

I can find no existing or deleted 'work' folders and this is only a couple of months ago as you can see. I also can find no other incidence of this ppt file or of the other 24 in the list.

I always worry that Im missing the obvious so if you have an 'obvious' answer dont be afraid to share. I called my buddies at my local Hitech Crime Unit and we are all either having a thick day or are stuck! It is a Friday after all!

Nick  
 
  

keydet89
Senior Member
 

Re: Problems understanding data in a .lnk file

Post Posted: Aug 19, 05 19:33

Nick,

I understand your caution. However, sometimes one needs more information to be able to answer the questions that are posed.

Thanks for posting what you did. I think that with that info, I can point you to what you need, in order to be able to speak confidently about this issue.

Take a look at what you posted, specifically the volume information, the NetBIOS name, and the MAC address. You can use this to tie the path information in the .lnk file to the local system. In addition, you can rule out remote systems by checking locations in the Registry, such as the "Map Network Drive MRU" list, and others (depending upon the specific version of Windows os used).

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

nickfx
Senior Member
 

Re: Problems understanding data in a .lnk file

Post Posted: Aug 20, 05 16:06

That is very helpful, I will get onto that Monday morning. Doing a unicode search I was able to locate a deleted c:\work directory that appeared to have contained email. This odd lnk file couldnt be a link to an attachment could it?

thanks for your help

Nick  
 

Page 1 of 1