What is the “Recent Lnks” Windows forensic artifact?

LNK files, commonly known as shortcuts, are small files that point to another file, folder, or application. While users can create them manually, Windows automatically creates LNK files in the user’s “Recent” folder whenever a file is opened or saved. This specific folder is located at %AppData%\Microsoft\Windows\Recent. These automatically generated shortcuts provide a chronological record of files that the user has recently interacted with.

The forensic value of LNK files extends far beyond simply being a pointer. Each LNK file is a complex data structure that embeds a wealth of metadata about its target. This includes the original path of the target file, timestamps for when the target was created and last modified, and, critically, information about the volume where the target was stored (including volume serial number, type, and network share name). For a DFIR investigator, this means a LNK file can prove that a specific file existed on a system at a point in time, even if that file has since been deleted. It can also show that a user accessed files from a specific USB drive or network share, providing crucial evidence of data movement or malware introduction from an external source.

Collecting, Decoding, and Viewing “Recent Lnks” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Recent Lnks delivered in the browser, alongside an executive summary and timeline of findings.