LNK Files and NTFS Anomaly
Posted by Paul Bobby on October 3, 2010
I periodically review LNK files and their timestamps either as a result of case work or because of some strangeness I observe through various experiments that I conduct. My reference for LNK file artifacts and behavior comes from the excellent paper by Harry Parsonage, the Meaning of LIFE.
My most recent encounter with LNK files came when I attempted to show that a file had been opened and ‘Saved As’ to a new file. The following artifacts do not show this, rather they show a surprising timestamp anomaly within NTFS.
- 2gig thumbdrive formatted NTFS
- LNK files were read from the Office\Recent folder on my Windows XP SP3 machine.
|Double click to open and edit||7:56pm|
So at approximately 7:55pm I created a new spreadsheet on the thumbdrive called test2test.xlsx, opened it, added some text, and saved the file, closing Excel at 7:57pm.
The following table shows NTFS and LNK file timestamps.
Pretty standard stuff here. The create date of the LNK file is when I first opened the spreadsheet for editing. The internal accessed timestamp is different from the accessed timestamp of test2test.xlsx. This threw me for a while, but it actually makes sense when you examine how Excel operates. Excel creates a temp file for editing (i.e. ~$test2test.xlsx). When excel closes, the last accessed timestamp of test2test.xlsx is the time when the editing was finished – why? because Excel overwrites test2test.xlsx with the contents of ~$test2test.xlsx. However the internal timestamps in the LNK file do not show this, they show when the actual file test2test.xlsx was opened. The cool thing here is that you can show how long an editing session was.
The anomalous part comes up now….
|Double click to open||8:15pm|
|Save as test3test.xlsx||8:15pm|
I opened the file test2test.xlsx, and did a Save As test3test.xlsx.
The following table shows the NTFS and LNK timestamps:
There was no activity between the first set of captured timestamps and the second. The anomalous part is the Last Accessed timestamp for test2test.xlsx. Why 20:02? No idea…. The internal timestamps of the test2test.xlsx.lnk file are supposed to be the timestamps of test2test.xlsx at the time the file was opened. But when I finished my testing and started to capture timestamps for this table, the last accessed time had changed. Odd.