Skip to content
AIR Knowledge Base

Collect LNK Files

Overview

Section titled “Overview”

Evidence: Collect LNK Files
Description: Collect LNK Files
Category: System
Platform: windows
Short Name: lnkscol
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Section titled “Background”

Windows shortcut (.lnk) files record metadata about target files and execution. This data is essential for identifying file launches and user activity.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about collect lnk files.

Collection Method

Section titled “Collection Method”

This collector searches common paths for .lnk files across drives, copies them, and records file timestamps into lnk_collected_files.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as .lnk artifacts can reveal execution paths and accessed files even if originals are deleted.