When a user opens a file through Windows Explorer, the operating system silently creates a binary shortcut file that records the full target path — including UNC network paths to remote file shares — along with the target’s timestamps, file size, volume serial number, and in some versions, the machine’s MAC address. These LNK files persist in the user’s Recent Items folder long after the original file has been deleted, making them one of the most reliable artifacts for proving file access in forensic investigations.
What Are LNK Files?
LNK files are binary shortcut files conforming to Microsoft’s MS-SHLLINK (Shell Link Binary File Format) specification. Windows automatically creates them whenever a user opens a file, document, or application through Windows Explorer, the Start Menu, or the taskbar. The shortcut is placed in the user’s Recent Items directory and records metadata about the target file at the moment the link was created or last accessed.
The key forensic value of LNK files lies in what they store: the full target path (including network UNC paths like \\FileServer01\Finance\Q4-Report.xlsx), the target file’s creation, modification, and access timestamps, the target’s file size, the volume serial number and volume label of the drive where the target resided, and in certain versions, the MAC address of the machine that created the LNK. This means a single LNK file can prove that a specific user opened a specific file on a specific volume at a specific time — even if the original file has been deleted, the network share has been disconnected, or the USB device has been removed.
LNK files are not limited to files the user deliberately “pinned” or created shortcuts for. Windows generates them automatically for any file opened through the shell. This includes documents opened from network shares, files accessed on USB drives, and executables launched from Explorer. The user has no visible indication that these records are being created, and most users are unaware they exist.
LNK files record the full UNC path to network share files even after the share is disconnected. If a user accessed \\FileServer01\HR\Compensation-2026.xlsx from a mapped drive, the LNK file retains the complete server name and share path — proving network share access that no other single artifact provides as cleanly.
Location & Format
File Paths
| Location | Path | Notes |
|---|---|---|
| Recent Items | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\ | Primary location; auto-populated by Explorer |
| Recent (Automatic) | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ | Jump List data; stores per-application recent files |
| Recent (Custom) | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ | Pinned Jump List items |
| Desktop | C:\Users\{user}\Desktop\ | User-created shortcuts; less forensically relevant |
| Start Menu | C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ | Application shortcuts; modified on install/uninstall |
| Office Recent | C:\Users\{user}\AppData\Roaming\Microsoft\Office\Recent\ | Office-specific recent file shortcuts (legacy) |
Binary Format — MS-SHLLINK
LNK files use a proprietary binary format documented in Microsoft’s [MS-SHLLINK] specification. The file consists of a ShellLinkHeader (76 bytes, fixed size) followed by optional structures: LinkTargetIDList (shell item ID list), LinkInfo (volume and path information), StringData (name, relative path, working directory, command-line arguments, icon location), and ExtraData blocks (tracker data, known folder IDs, property stores).
Key Fields in the ShellLinkHeader
| Field | Offset | Size | Forensic Value |
|---|---|---|---|
CreationTime | 0x001C | 8 bytes | FILETIME of the target file’s creation (not the LNK itself) |
AccessTime | 0x0024 | 8 bytes | FILETIME of the target file’s last access |
WriteTime | 0x002C | 8 bytes | FILETIME of the target file’s last modification |
FileSize | 0x0034 | 4 bytes | Target file size at time of LNK creation |
IconIndex | 0x0038 | 4 bytes | Icon index; can indicate file type |
ShowCommand | 0x003C | 4 bytes | Window state (normal, minimized, maximized) |
LinkInfo Structure
| Field | Forensic Value |
|---|---|
VolumeID.DriveSerialNumber | Serial number of the volume where the target resided — ties file access to a specific drive or USB device |
VolumeID.VolumeLabel | Volume label (e.g., “KINGSTON”) — identifies removable media |
LocalBasePath | Full local path to the target file |
CommonNetworkRelativeLink | UNC path for network targets (e.g., \\Server\Share\path) |
The three timestamps in the LNK header are the target file’s timestamps at the moment the LNK was created, not the LNK file’s own timestamps. To determine when the user accessed the file, examine the LNK file’s own $MFT creation timestamp (first access) and modification timestamp (most recent access). The embedded timestamps tell you about the target’s state when it was accessed.
What It Reveals
LNK files answer a specific set of investigative questions that are frequently decisive in insider threat, data exfiltration, and intellectual property theft cases:
- Did the user open a specific file? — The existence of a LNK file in the Recent Items folder proves the user accessed the target file through Windows Explorer. The LNK file’s own
$MFTcreation timestamp records when the first access occurred. - What was the full path to the file? — The
LocalBasePathorCommonNetworkRelativeLinkfield stores the complete path, including drive letter, directory structure, and filename. - Was the file on a network share? — If the
CommonNetworkRelativeLinkfield is populated, the target was on a network share. The full UNC path (server name, share name, subdirectory, filename) is preserved even after the share is disconnected or the server is decommissioned. - Was the file on a USB device? — The
VolumeID.DriveSerialNumberandVolumeID.VolumeLabelfields identify the volume. Cross-reference with USB device registry entries (USBSTOR) to tie the LNK to a specific removable device. - What was the file size at the time of access? — The
FileSizefield records the target’s size in bytes at the time the LNK was created or updated. - What were the target’s timestamps? — The embedded
CreationTime,AccessTime, andWriteTimefields capture the target file’s MAC timestamps as they existed at the moment of access. - What machine created the LNK? — The TrackerDataBlock (ExtraData) in some LNK files contains the
MachineID(NetBIOS name) andDroidBirthfields, which include a MAC address embedded in the GUID. - How many files from a specific location were accessed? — Enumerating all LNK files with a common UNC prefix or volume serial number quantifies the scope of access to a particular share or device.
In a typical insider threat investigation, finding 14 LNK files with UNC paths pointing to \\FS01\Engineering\Source-Code\ in the Recent Items folder of a departing employee — especially when combined with SRUM data showing concurrent large outbound transfers — provides a two-artifact chain proving both access and exfiltration that is extremely difficult to refute.
Forensic Use Cases
1. File Access Proof After Deletion
A departing employee deletes sensitive documents from their workstation and empties the Recycle Bin before their exit interview. The original files no longer exist on disk, and $UsnJrnl entries may have rolled over. However, LNK files in the Recent Items folder prove the employee opened \\FS01\Exec\Board-Deck-Q4-2025.pptx, \\FS01\Exec\Acquisition-Target-Analysis.xlsx, and 12 other files from the executive file share over the preceding two weeks. Each LNK preserves the full UNC path, the target file size, and the target’s last-modified timestamp.
2. Network Share Access Evidence
An investigation reveals that confidential HR compensation data was leaked. The suspect claims they never accessed the HR file share. LNK files in their Recent Items folder contain entries with CommonNetworkRelativeLink values pointing to \\HR-FS\Compensation\2026-Salary-Bands.xlsx and \\HR-FS\Compensation\Exec-Bonus-Schedule.pdf. The LNK file’s $MFT creation timestamp places the access two days before the leak appeared on an external forum. The network share has since been restructured and the original path no longer exists, but the LNK preserves the evidence.
3. USB Device File Access
An employee is suspected of copying proprietary source code to a personal USB drive. LNK files show targets with LocalBasePath values like E:\Projects\firmware-v3.2\main.c where the VolumeID.DriveSerialNumber matches a USB device cataloged in the HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR registry key. The VolumeLabel reads “SANDISK-32G”. Together, these prove the user not only connected the device but actively navigated its contents and opened specific files.
4. Document Staging Before Exfiltration
In data exfiltration cases, subjects often stage files in a temporary directory before uploading them. LNK files can reveal this pattern: Recent Items may show sequential access to C:\Users\jdoe\Desktop\upload\contract-001.pdf through contract-047.pdf, establishing that the user opened and reviewed each file in the staging directory. When combined with SRUM data showing a cloud sync tool transferring the equivalent volume during the same time window, the staging-then-exfiltration workflow is fully documented.
5. Application Execution Evidence
While Prefetch is the primary execution artifact, LNK files in the Start Menu and taskbar provide supplementary evidence. If a user launched a portable application (e.g., E:\Tools\WinSCP-Portable.exe) from a USB drive, a LNK file may be created recording the full path. This is particularly valuable when Prefetch has been disabled (common on SSDs with older Windows configurations) or cleared by anti-forensics tools.
Acquisition Methods
LNK files in the Recent Items folder are not locked by the operating system and can be directly copied from a live system. However, ensure you collect from all relevant locations: Recent\, Recent\AutomaticDestinations\, and Recent\CustomDestinations\. Jump List files (.automaticDestinations-ms) contain embedded LNK streams that require specialized parsing.
Live System — Direct Copy
:: Copy all LNK files from the user's Recent Items robocopy "C:\Users\jdoe\AppData\Roaming\Microsoft\Windows\Recent" C:\Evidence\LNK_Files *.lnk /S :: Copy Jump List files (contain embedded LNK streams) robocopy "C:\Users\jdoe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" C:\Evidence\JumpLists_Auto robocopy "C:\Users\jdoe\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" C:\Evidence\JumpLists_Custom :: Also collect Desktop shortcuts for supplementary evidence robocopy "C:\Users\jdoe\Desktop" C:\Evidence\Desktop_LNK *.lnk
Live System — KAPE Collection
:: Using KAPE to collect all LNK and Jump List artifacts kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target LnkFilesAndJumpLists :: Using Velociraptor (remote collection via VQL) :: Artifact: Windows.KapeFiles.Targets with target "LnkFilesAndJumpLists"
Forensic Image — Direct Extraction
# Mount the forensic image (read-only) mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy all LNK files from each user profile find /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent \ -name "*.lnk" -exec cp {} /analysis/lnk/ \; # Copy Jump List databases cp /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/* /analysis/jumplists/ cp /mnt/evidence/Users/*/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/* /analysis/jumplists/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| LECmd | Eric Zimmerman | Free | CSV / JSON | Industry standard; parses LNK files and extracts all metadata fields including ExtraData blocks |
| JLECmd | Eric Zimmerman | Free | CSV / JSON | Companion to LECmd; parses Jump List files (.automaticDestinations-ms) with embedded LNK streams |
| lnk_parser | Community | Open source (Python) | Text / CSV | Python-based parser; useful for scripted analysis pipelines |
| exiftool | Phil Harvey | Open source (Perl) | Text / JSON / CSV | Extracts metadata from many file types including LNK; useful for quick triage |
| Windows File Analyzer | MiTeC | Freeware | GUI | GUI-based LNK parser with visual timeline; good for presentations |
| Autopsy | Basis Technology | Open source | GUI + report | Full forensic platform; includes LNK parsing module in Recent Activity ingest |
Parsing with LECmd
:: Parse a single LNK file LECmd.exe -f "C:\Evidence\LNK_Files\Q4-Report.xlsx.lnk" --csv C:\Analysis\LECmd_Output :: Parse all LNK files in a directory recursively LECmd.exe -d C:\Evidence\LNK_Files --csv C:\Analysis\LECmd_Output -q :: Output columns include: :: SourceFile, SourceCreated, SourceModified, SourceAccessed :: TargetCreated, TargetModified, TargetAccessed, FileSize :: LocalPath, NetworkShareName, NetworkSharePath :: VolumeSerialNumber, VolumeLabel, MachineID, MacAddress
Parsing Jump Lists with JLECmd
:: Parse all Jump List files in AutomaticDestinations JLECmd.exe -d C:\Evidence\JumpLists_Auto --csv C:\Analysis\JLECmd_Output -q :: Jump Lists correlate file access to specific applications :: e.g., which files were opened in Word vs. Excel vs. Notepad
Analysis Script — Network Share Access Summary
# Identify all network share paths accessed via LNK files import pandas as pd df = pd.read_csv('/analysis/lnk/LECmd_Output.csv') # Filter for LNK files with network share paths network = df[df['NetworkShareName'].notna()].copy() # Group by share, count files accessed per share summary = network.groupby('NetworkShareName').agg( FilesAccessed=('SourceFile', 'count'), FirstAccess=('SourceCreated', 'min'), LastAccess=('SourceModified', 'max'), TotalSize=('FileSize', 'sum') ).sort_values('FilesAccessed', ascending=False) print(summary.to_string())
Sample Output
NetworkShareName FilesAccessed FirstAccess LastAccess TotalSize
\\FS01\Engineering\Source-Code 14 2026-02-01 09:14 2026-02-14 16:42 847,293,440
\\FS01\HR\Compensation 3 2026-02-10 11:30 2026-02-12 14:15 2,457,600
\\FS01\Exec\Board-Materials 2 2026-02-13 08:45 2026-02-13 09:12 15,728,640
\\PRINT-SRV\Scans 1 2026-01-22 13:00 2026-01-22 13:00 4,194,304
Fourteen files accessed from the Engineering source code share over a two-week period, totaling 808 MB, represent systematic collection rather than incidental access. The timing — concentrated in the two weeks before the employee’s resignation — aligns with a pre-departure data gathering pattern. Cross-correlate with SRUM data to determine whether this volume was subsequently uploaded.
Retention & Persistence
| Property | Behavior |
|---|---|
| Creation trigger | File opened through Windows Explorer, Start Menu, or taskbar |
| Update trigger | Same file opened again; LNK modification timestamp updates |
| Retention period | Indefinite — LNK files persist until manually deleted or cleaned by a tool |
| Survives reboot | Yes — standard files on disk |
| Survives target file deletion | Yes — the LNK is independent of the target |
| Survives network share disconnection | Yes — the UNC path is embedded in the LNK binary |
| Survives USB removal | Yes — the volume serial and path are embedded |
| Maximum count (Recent Items) | Windows maintains a rolling limit (typically 149 entries in Windows 10/11); oldest entries are removed when the limit is exceeded |
| Jump List retention | Per-application; typically 20–25 most recent files per application |
While individual LNK files persist indefinitely, Windows enforces a cap on the Recent Items folder (typically 149 entries). When a new file is opened and the limit is reached, the oldest LNK file is automatically removed. In high-activity environments, relevant LNK files may age out within days. For Jump Lists, each application maintains its own rolling window of approximately 20–25 entries. Always collect as early as possible in the investigation.
Anti-Forensics Resilience
LNK files have a notable anti-forensics weakness compared to system-level artifacts like SRUM: they reside in the user’s profile directory and are standard files that can be deleted without elevated privileges. However, most cleanup tools do not target them by default.
| Tool | Clears LNK Files? | Explanation |
|---|---|---|
| CCleaner | Only if opted in | “Windows Explorer — Recent Documents” must be explicitly checked. This option is not enabled by default. Most users run CCleaner without enabling this. |
| BleachBit | Only if opted in | Has a “Recent Documents” cleaner, but it is not selected by default in a standard clean operation. |
| Windows Disk Cleanup | No | Does not target Recent Items or Jump Lists. |
| Browser cleanup | No | Clearing browser data has no effect on LNK files; these are OS-level, not browser-level artifacts. |
| Manual deletion | Possible | User can navigate to %APPDATA%\Microsoft\Windows\Recent\ and delete files. Requires knowing the path. Leaves $UsnJrnl and $MFT evidence of the deletion. |
| Eraser / SDelete | Only if targeted | Requires the user to specifically target the Recent Items path. Not part of standard secure-delete workflows. |
| Jump List clearing | Partial | Right-clicking the taskbar and clearing recent items removes Jump List entries but does not clear the Recent folder LNK files. |
Most anti-forensics efforts focus on browser history, Prefetch, temp files, and the Recycle Bin. The Recent Items folder is rarely targeted because most users do not know it exists, and CCleaner’s “Recent Documents” option is not enabled by default. In our case work, we find intact LNK files in the majority of insider threat investigations even when the subject used cleanup tools.
MITRE ATT&CK Detection Mapping
LNK file analysis provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | LNK Evidence |
|---|---|---|
T1005 T1005 | Data from Local System | LNK files prove specific local files were opened; volume serial numbers tie access to specific drives |
T1039 T1039 | Data from Network Shared Drive | UNC paths in LNK files prove network share access; enumerate the scope of collection across shares |
T1074 T1074 | Data Staged | LNK files showing sequential access to files in a staging directory (e.g., Desktop\upload\) prove staging activity |
T1052 T1052 | Exfiltration Over Physical Medium | LNK files with volume serials matching USB devices prove file access on removable media |
Related Artifacts & Case Studies
Corroborating Artifacts
| Artifact | Relationship to LNK Files | Cross-Correlation Value |
|---|---|---|
| SRUM.db | SRUM records network transfer volumes per application per hour | LNK files prove which files were accessed; SRUM proves how much data was transferred afterward |
| $MFT | Master File Table timestamps for the LNK file itself | $MFT creation time of the LNK = first access; modification time = most recent access |
| $UsnJrnl | Change journal records LNK creation, modification, and deletion events | If LNK files were deleted, $UsnJrnl can prove they existed and when they were removed |
| Jump Lists | AutomaticDestinations files contain embedded LNK streams per application | Jump Lists tie file access to a specific application (Word, Excel, etc.) |
| Shellbags | Registry entries recording folder browsing history | Shellbags prove the user navigated to the directory; LNK files prove they opened specific files |
| USBSTOR Registry | Registry keys recording USB device connections | Cross-reference LNK volume serial numbers with USBSTOR entries to identify the specific device |
Case Study
The Database That Windows Built — Finding 4 of this investigation identified 14 LNK files proving the departing employee accessed documents on the \\FS01\Engineering\Source-Code network share. The LNK files preserved the full UNC paths even though the employee’s network drive mappings had been revoked. Combined with SRUM data showing 8.5 GB outbound transfers via rclone during the same window, the LNK evidence provided the “what was accessed” proof that SRUM’s “how much was transferred” evidence alone could not supply.
References
- Eric Zimmerman, “LECmd — LNK Explorer Command Line” — https://ericzimmerman.github.io/
- Microsoft, “[MS-SHLLINK]: Shell Link (.LNK) Binary File Format” — https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
- SANS Institute, “Windows Forensic Analysis — LNK Files and Jump Lists” — https://www.sans.org/blog/
- 13Cubed, “LNK Files and Jump Lists for DFIR” — https://www.13cubed.com/blog
- ForensicArtifacts.com, “Windows LNK File Artifact Definition” — https://github.com/ForensicArtifacts/artifacts
- Phil Harvey, “ExifTool — Read, Write and Edit Meta Information” — https://exiftool.org/
- Eric Zimmerman, “JLECmd — Jump List Explorer Command Line” — https://ericzimmerman.github.io/
- Harlan Carvey, “Windows Registry Forensics” — Syngress Publishing
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in LNK file analysis, network share access investigations, and insider threat cases where file access proof is critical to the engagement outcome.
mjolnirsecurity.com — 24/7: +1 833 403 5875