LNK Extractor

A forensic metadata extractor for Windows .lnk (shortcut) files. Parses the binary LNK format to reveal hidden information automatically embedded by Windows — including the MAC address and computer name of the machine that created the file.

This is the same technique used by threat intelligence analysts to fingerprint APT operators from phishing lures.

What It Extracts

Category	Fields
Tracker Data	MAC address, Machine ID (NetBIOS/computer name), Volume & File Droids
Header Info	File size, target size, file attributes, show command, icon index
Timestamps	Creation, modification, and access times
Volume Info	Drive type, serial number, volume label, local base path
Network Info	Network share path (if applicable)
String Data	Relative path, working directory, arguments
Extra Blocks	All extra data blocks present in the file

How It Works

Windows .lnk files contain a TrackerDataBlock (0xA0000003) per the MS-SHLLINK specification. This block stores:

• A UUID v1 (time-based) identifier as the "File Droid" — bytes 10–15 of a v1 UUID contain the MAC address of the network adapter
• The NetBIOS computer name of the creating machine

Windows populates this silently whenever a shortcut is created.

Build

Windows (double-click)

build.bat

Manual

# g++ (MinGW)
g++ -o lnk_extractor.exe lnk_extractor.cpp -std=c++17 -O2 -Wall

# MSVC
cl /EHsc /std:c++17 /O2 /Fe:lnk_extractor.exe lnk_extractor.cpp

# Linux / macOS (for analyzing LNK files off-platform)
g++ -o lnk_extractor lnk_extractor.cpp -std=c++17 -O2 -Wall

Usage

# Pass as argument
lnk_extractor.exe sample.lnk

# Or run and type the path interactively
lnk_extractor.exe

Example Output

  ============================================================
               LNK FILE FORENSIC METADATA REPORT
  ============================================================
  [SHELL LINK HEADER]
    File Size (on disk)     : 810 bytes
    Target File Size        : 200704 bytes
    File Attributes         : ARCHIVE
    Creation Time           : 2025-12-03 14:44:08 UTC
    Modification Time       : 2025-12-03 14:44:08 UTC
    Access Time             : 2026-02-11 13:42:43 UTC
    Show Command            : SW_SHOWNORMAL
    Icon Index              : 0

  [LINK FLAGS]
    HasLinkTargetIDList     : Yes
    HasLinkInfo             : Yes
    HasName                 : Yes
    HasRelativePath         : No
    HasWorkingDir           : Yes
    HasArguments            : No
    HasIconLocation         : No
    IsUnicode               : Yes

  [VOLUME / TARGET INFO]
    Local Base Path         : C:\Windows\notepad.exe
    Drive Type              : DRIVE_FIXED
    Drive Serial Number     : 7728975D

  ============================================================
                TRACKER DATA  --  FORENSIC GOLD
  ============================================================
    Machine ID (NetBIOS)    : desktop-mg9ba3d
    MAC Address             : 10:68:38:2a:f2:88

    Volume Droid            : 340D3DAA-8BCD-4265-A948-EDFEB53BC92F
    File Droid              : 00C15FB8-0745-11F1-9559-1068382AF288
    Birth Volume Droid      : 340D3DAA-8BCD-4265-A948-EDFEB53BC92F
    Birth File Droid        : 00C15FB8-0745-11F1-9559-1068382AF288

Real-World Use Cases

• Threat Intelligence — Identify APT operator machines from phishing .lnk lures (like APT36/SideCopy, APT27/Emissary Panda campaigns)
• Digital Forensics — Trace which machine created a shortcut file
• Incident Response — Analyze suspicious shortcuts found on compromised systems
• OSINT — Cross-reference MAC addresses and machine names across malware samples

Creating Test Files

$ws = New-Object -ComObject WScript.Shell
$sc = $ws.CreateShortcut(".\test.lnk")
$sc.TargetPath = "C:\Windows\notepad.exe"
$sc.Save()

License

MIT