Sustainability of Digital Formats: Planning for Library of Congress Collections
Sustainability of Digital Formats: Planning for Library of Congress Collections |
|
|
|
| Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact | |
| Full name | Microsoft Windows Shortcut File |
|---|---|
| Description |
A Microsoft Windows Shortcut File (LNK) is a file format designed to link to various types of information such as files, network shares, and search results. It employs the .lnk file extension and serves as a reference to a system location known as the link target. While the format supports Object Linking and Embedding (OLE) for object access, it is predominantly utilized as “shortcuts” to applications and file locations on the file system. The LNK file format comprises five structures, with some being mandatory and others optional:
Additionally, each LNK file has three dates associated with the target file: Created, Modified, and Accessed. In forensic analysis, timestamps related to LNK files are not precisely specific due to updates occurring at various times and for different reasons. The only assurance regarding file timestamps is that the file time is accurately reflected when the handle responsible for the change is closed. LNK files appear on the Windows graphical user interface (GUI), appearing on the Desktop, folders, and more. They appear without a file extension and with an illustration of an arrow in the bottom left corner (see Belkasoft’s Forensic Analysis of LNK Files for a visual example). These files play a role in the "My Recent Documents" list in Windows XP and the "Recent Items" section in Windows Vista. Specific file locations include: Windows XP:
Windows Vista:
The specification notes that LNK files have some backwards compatibility. They can be used in Windows versions as early as Windows NT 3.1. |
| Production phase | Used as part of production on Microsoft Windows operating systems since Windows 95. |
| Relationship to other formats | |
| Other | PIF. Prior to LNK files, Microsoft Windows used Program Information Files (PIF) to define how a program should run and link to that program. See Fileformat PIF for more information. Not documented at this time. |
| Other | Uniform Resource Locator (URL) files follow the same structure as LNK files. However, instead of linking to a file target as in LNK, URL files open a browser window and connect to the specified URL. Not documented at this time. |
| LC experience or existing holdings | The Library of Congress has a small amount of LNK files in its varied collections. |
|---|---|
| LC preference | The Library of Congress has not yet expressed any format preference for system files. See the Recommended Formats Statement for format preferences for software |
| Disclosure |
Fully disclosed, thoroughly documented. LNK was first released in 1995 but was not disclosed until July 16, 2010. See: History for more details. |
|---|---|
| Documentation |
Official specification: [MS-SHLLINK]: Shell Link (.LNK) Binary File Format. Versions 2.0 and newer of the specification are available online. |
| Adoption | Used by Microsoft operating systems since 1995. |
| Licensing and patents | Specification and any patents belong to Microsoft. See specification for details. |
| Transparency | Files are binary and require special tools to decipher. Not easily read. |
| Self-documentation |
For older versions, not a lot of transparency because there wasn't an open specification. For the files themselves, they do not indicate version. Comments welcome. |
| External dependencies | Used by Microsoft operating systems. |
| Technical protection considerations | None. See: General Note for information on LNK use in malware. |
| Other | |
|---|---|
| Bundling/compression | Not compressed. |
| Support for error detection | No error detection of note. |
| Functionality beyond normal | None. |
| Tag | Value | Note |
|---|---|---|
| Filename extension | lnk |
See: Specification. |
| Internet Media Type | application/x-ms-shortcut |
Not listed in IANA. See: httpd List of MIME Types, revision 1880504. |
| Magic numbers | 4C 00 00 00 01 14 02 00 |
See the specification, 3.1 Shortcut to a File or Gary Kessler's File Signature Table. |
| Pronom PUID | x-fmt/428 |
See https://www.nationalarchives.gov.uk/PRONOM/x-fmt/428. |
| Wikidata Title ID | Q29000599 |
Windows Shortcut file format. See https://www.wikidata.org/wiki/Q29000599. |
| Wikidata Title ID | Q39184097 |
Shell Link Binary File Format. See https://www.wikidata.org/wiki/Q39184097. |
| Other | NF00451 |
NARA File Format Preservation Plan ID. See https://www.archives.gov/files/lod/dpframework/id/NF00451.ttl. |
| General |
Security Concerns with LNK Files: LNK files have been exploited for use in malware. Details to how LNK files are used in malware can be found in the articles "How LNK Files Are Abused by Threat Actors" and "Following the LNK Metadata Trail". Two noticeable instances of LNK usage in malware are:
|
|---|---|
| History |
The LNK file format was introduced in 1995 with Windows 95. Although released in 1995 LNK was not disclosed or documented until 2010. In the fifteen year interval between release and disclosure some users reverse engineered the format and distributed unofficial documentation online. Before Microsoft officially published information about LNK, researchers attempted to describe the format independently. Two notable unofficial versions of the specification are “Windows Shortcut File Format Specification,” by Joachim Metz, and "The Windows Shortcut File Format as Reverse-Engineered by Jesse Hager Document Version 1.0," by Jesse Hager. The official LNK specification, versions 2.0 and above, are available online. Older versions are not accessible. The specification details changes made in each version. Notable modifications: Version 7.0 and Version 6.0:
Version 5.0 (changes from v4):
Version 4.0 (changes from v3):
Version 3.0 (changes from v2):
Version 2.0 (changes from v1.2):
|
|
|