Skip to content
AIR Knowledge Base

Parse LNK Files

Overview

Section titled “Overview”

Evidence: Parse LNK Files
Description: Parse LNK Files
Category: System
Platform: windows
Short Name: lnks
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Parsing Windows shortcut (.lnk) files reveals target paths, timestamps, and execution parameters. This data is essential for confirming program launches and file access.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about parse lnk files.

Collection Method

Section titled “Collection Method”

This collector walks common paths, parses .lnk files using a structured parser, and records target metadata and LNK metadata into lnk_files.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as .lnk contents provide strong traces of user actions and program execution.