Analyzing LNK File and Jump List Artifacts

Overview

Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.

When to Use

• When investigating security incidents that require analyzing lnk file and jump list artifacts
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• LECmd (Eric Zimmerman) for LNK file parsing
• JLECmd (Eric Zimmerman) for Jump List parsing
• Python 3.8+ with pylnk3 or LnkParse3 libraries