| Author | Message | ||
     Ross@WinPro.net |
Does anyone have (or know where to find) a WinHex template for the contents of a Windows .lnk file? Not the file entry for the lnk but the file contents - for a FAT 32 system. Thank you in advance, Ross@WinPro.net | ||
| Steve Guty |
Did you ever find one? I'm working on a UW class project to analyze whether data can be traced to removable USB devices; I'd started to look into creating a template for .lnk files, but certainly wouldn't turn down an already-extant template if it exists. | ||
| Steve Guty |
FWIW, I was able to use Jesse Hager's article on .lnk file structures to create a pair of templates, one for .lnks that have unicode strings, and one for those that don't. They recover dates and times for creation/modification/access, along with volume and medium info (media types, serial numbers, volume labels) and the like. I'd be happy to post them here or email them to anyone interested. | ||
| Stefan Fleischmann (Admin) |
Thank you very much. May I also post them here? | ||
| Steve Guty |
Sure! Let me clean up some of the testing components and flesh out the comments a bit, and I'll e-mail them to you later today. | ||
| starix@safe-mail.net Username: starix Registered: N/A |
There is mistake in http://www.x-ways.net/winhex/templates/LNK%20FILE%20Record.tpl Line 99: char16[Length_CMDLINE$] "Icon String" MUST be: char16[Length_Icon$] "Icon String" plz change the template, thx! | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Thank you. For other readers, please be advised that X-Ways Forensics presents .lnk files natively in a nice human-readable way. |