Windows Ten LNK file analysis

Previously summary: Police received an online report, gangsters Cuong involved in the manufacture and trafficking of drugs, the police in their homes buckle laptop computer and several U disk, sent to the laboratory for forensic analysis.

Forensic personnel Bluff material image production, and carry out evidence processing (Evidence processing), the beginning of forensic analysis. learned that the Cuong of the operating system for the Windows 10 Professional Edition 64bit, the local hard disk partition is the C and E disk, and the D drive is the CD-ROM, as shown in.

No drug-related traces were found in the view of the contents of the document or in the Web browsing record. However, in the analysis results of LNK file, but found a large number of suspicious file access traces, are related to drugs, as shown, including ecstasy, heroin, K-life, ice poison, FM2 characteristics, ingredients, production methods and other related documents. Forensics staff carefully review the path to the file that these LNK files point to IS f:\ At the beginning, the non-native disk code of C, D or E, that is, the disk code F should be an external storage device. However, the view of the USB flash drive used by Cuong, no relevant file content found. The volume Serial number in the trace analysis results compared to the USB device of the power pen is not consistent with the "2cc8-5685" (shown in the red box) resulting from the parse result of the LNK file. Of course, if the USB drive is formatted, the new partition's volume Serial number will be different from the previous one, and this possibility is not ruled out.

Looking at the other LNK File again, a name of Data2.vhd.lnk (as shown) has caused the attention of forensics personnel. Forensic personnel analysis It should be Cuong can be the drug-related files "stealth" the important key, so will data2.vhd on the forensic work station to mount, sure enough, it is "virtual disk", which is stored in the files is the above LNK file in the analysis results pointed to the correct file name.

Forensic personnel with experience and judgment, not because the. vhd seems to be unknown strange extension and ignore it, and finally successfully found a key file to bring the gangsters to justice.

Windows Ten LNK file analysis