If you wanted to build a car from scratch, it would be smart to first know the different components of a car. Why should an investigation involving computers be any different? That is why Digital Forensic Investigators go beyond what the average user can see, and search under “the hood” of the Operating System (OS). Quicken deluxe for mac 2012 review.
MAC times of the original file; not only will a LNK file contain timestamps for the LNK file itself, it will also contain MAC times for the linked file within its metadata as well Information about the volume and system where the LNK file is stored. 
How can I be certain if a user accessed a file on their Windows PC? The Shorthand Answer: There are multiple methods at an investigator’s disposal that provide significant proof a user’s account has accessed a file. One of these being the.LNK file (shortcut file). The Windows OS has blessed investigators with multiple system files; holding incredible amounts of system knowledge. Although the intended purpose is to allow the OS to run as efficiently and properly as possible, these “behind-the-scenes” files can help disclose secrets about what happened on the computer. A.lnk is automatically created any time a user opens a file locally or remotely for the first time. This file can tell an investigator if the user: • Has accessed a specific file • The name of the file • The original path to the target file (the file it is referencing) • MAC (Modified, Accessed, Created) timestamps of the target file and the.lnk file • The size of the target file • Attributes of the target file (read-only, hidden, system) In this DFS post we will be discussing the concept of Forensic artifacts and “.LNK” files with the hopes you can better understand the tactics of a Digital Forensic Examiner.
Behind the Curtain & Artifacts When a standard computer user opens a file, although he/she may notice no changes to his/her computer, there are many actions going on in the background. Multiple system files are being written to, logging helpful information such as time/date, file path, file name, etc. These background processes help Windows run smoothly with abundant error checking and logging. If an error were ever to arise, the data could help determine how the issue occurred. This same information can be very helpful to a computer forensic investigator. Referred to as “ Forensic Artifacts”, these Windows system files can help accurately reveal past actions of a user’s account. Everything from user login, to file opening, to USB thumbdrive use, are potentially logged within these files.
Forensic Artifacts Think of this like an archaeological dig where we are uncovering clues about past civilizations. However, instead of looking at pottery and arrowheads, we are sifting through files that reside within the Windows Operating System. There are quite a few forensic artifacts, each serving a special role in investigations. Some artifacts are specific to a single user and others may be system-wide. Here are just a few examples of forensic artifacts: • Prefetch: lists all files quickly called by an application, to better optimize start up and efficiency of the application.