Identifying Indicators of Timestomping with .LNK Files

Article 4 of Sophisticated Anti-Forensics Tactics and How to Spot Them Series: Timestomping

Similar to the tactics used to identify timestomping by parsing the $MFT using KAPE, .LNK files are another relevant item that can help find indicators of timestomping. A .LNK file is a shortcut that is used to reference an original (source) file, folder or application. A new .LNK file is created when a user opens a file for the first time. These .LNK files can contain target information, including target file name, target created date, target modified date, target accessed date and the location of the original file that the .LNK file is referencing. When a file is timestomped, only the original file’s timestamps change, but not the timestamps of the associated .LNK file. Once a file has been opened after it has been timestomped, the associated .LNK file’s metadata updates to reflect the timestomped value(s) of the original file. This is a monumental indicator of timestomping and makes analysis of .LNK files that much more relevant during an incident response investigation.

In this scenario, the following variables are used:   

• Target source: C:\
• Target destination: D:\Tutorial\tout
• Module destination: D:\Tutorial\mout
• Target: LnkFilesAndJumpLists
• Module: LECmd
• Debug messages

Figure 1 shows an example of a file created on the desktop named test.txt. The file was then opened, which generated a .LNK file, test.txt.lnk. KAPE was then used to acquire the relevant artifacts on the workstation and parse them into CSV output. The CSV output can be analyzed using Timeline Explorer in order to examine the Source and Target timestamps. 

Figure 1 – test.txt.lnk file shown in Timeline Explorer with Source and Target timestamps before timestomping

Next, we timestomped the test.txt file that resided on the desktop using the Set Time feature in NewFileTime . We then opened the test.txt file to generate updated timestamps within the .LNK file. Using KAPE, we can reacquire and parse the .LNK files to view the updated metadata of the test.txt.lnk file in Timeline Explorer. Figure 2 shows the updated metadata of test.txt.lnk in Timeline Explorer.

Figure 2 – test.txt.lnk file shown in Timeline Explorer with Source and Target timestamps after timestomping

Timestomping the test.txt file only affected the created 0x10 timestamp within the file’s $MFT entry. This timestamp is stored within a .LNK file as the Target Created timestamp. Because the Source Created timestamp relates to the Created 0x10 timestamp for the .LNK file itself, opening the test.txt file appears to update the Target Created timestamp within the test.txt.lnk file to match the timestomped value of the test.txt (Figure 2).

With the Source Created timestamp for the .LNK file itself remaining as 2021-10-24 20:04:00, it appears suspicious that a .LNK file was created before a file was created on disk. Since a .LNK file is created when a file is opened for the first time, it would seem unlikely for the Target Created timestamp of test.txt to be a later date than the Source Created timestamp of test.txt.lnk unless there is timestomping involved.

.LNK files do not reference the timestamps in the $MFT  for the referenced file in a live manner, and only appears to refresh the target file’s timestamps once the file is opened again. This is important because a threat actor would want to hide the action of timestomping and may not reopen the original file that has been timestomped. However, if the file has been reopened after being timestomped, the associated .LNK file would reflect the timestomped value for the original file in the Target Created timestamp value. Along with additional context, .LNK files can provide useful insight into a threat actor’s activities within a compromised network.

Related Articles

• Timestomping Overview
• Timestomping a File with NewFileTime
• Detecting and Analyzing Timestomping Using KAPE and Timeline Explorer - $MFT