Before the digital age, when library books had checkout cards in the back, those paper cards were used to keep track of certain information about the book they were associated with. When a book was checked out, the checkout card would be filed away so that the library could know who checked that book out, and when they did so.

The purpose of the checkout card is to store information about something else. You can think of a link file in much the same way. A library card is used to store information about where the book is located, who is in possession of the book, when the book was checked out, and other information. A link file is the digital equivalent to a library card, storing information such as the location of the file it is associated with, the time that file was created, when it was last accessed, when it was last modified, and to which user account that file belongs.

A Windows shortcut, or link file, is a pointer file to a file in a different location, which is called the target file. Using our analogy, the library card would be the pointer, and the book itself the target file. Figure 32.1 shows this using the library card file as a paradigm for link files. For example, when you install a program on your computer, a shortcut icon is created on your desktop, which is a link file. When you double-click this shortcut icon on your desktop, it opens a program associated with it. If you uninstall a program, but the shortcut icon was left on your desktop, when you double-click that shortcut now, nothing will happen except that you would see an error message letting you know that the program cannot be found. This is because that shortcut icon (link file), now points nowhere since the target file it was associated with is now gone. This would be like trying to use a checkout card to find a book that the library no longer has. The checkout card would know where the book used to be, but when you went to that section of the library where the book is supposed to be located, the book itself would be missing. The converse is also true; deleting the shortcut icon on your desktop does not uninstall the program it is associated with. Destroying a library card does not also destroy the book it is associated with.

Link files are used liberally by the Windows operating system, and they can be created in numerous ways. A user can create a link file intentionally, for example, by placing a shortcut on the desktop, or they can also be created by Windows, without the user’s knowledge.

The overall purpose of a link file is to enhance the user’s experience as he or she navigates a computer. A link file can help you find documents you recently opened, quickly open a program on a computer via a shortcut, or access a device such as a printer or network hard drive that is not directly connected to your computer. Link files are created in numerous ways and used liberally by the Windows operating system; they can be useful as evidence in many ways.

Link files contain useful information within themselves about the target file they are associated with. A link file can tell you what Windows account, or username, the target file was opened with. It can also potentially contain information on when that target file was created, last accessed, or last modified. Link files can show that a file previously existed on a computer, and can also be useful in determining if a file was opened from a device connected to a computer, such as a USB thumb drive or external hard drive.

While link files can be useful as a part of a body of evidence, digital or otherwise, using them to come to any conclusion without other corroborating evidence can be precarious. Link files alone can be used as solid evidence in some case situations; in others they cannot, since the interpretation of link file evidence can vary given the knowledge and capability of the examiner and their intended use in a case.

As data is moved from one device to another, it can leave a trail of digital bread crumbs that can be useful as evidence. Data today travels more easily, more discretely, and in greater quantity than ever before. A USB thumb drive of today, while physically very small, can easily hold hundreds or thousands of documents, pictures, movies, or music files.

Link files can be used as part of an investigation to determine if a device, such as a USB thumb drive, has been connected to a computer, and also what files were moved to that device, when they were moved, and where they were moved from. This scenario is most promising when you access all the digital evidence in question. In this case that would be the thumb drive and the computer. By having both devices, it is possible to use link files that exist on both devices to conclusively show that a file was moved or copied from one device to another, even if the file does not exist on either device anymore.

Often there are cases where data theft or employee wrongdoing involving a particular file is of concern. In these situations, the computer is usually owned by the company and it is provided for examination. However, the USB thumb drive might be personally owned by the suspected employee, making it more difficult to get. The information gathered from the examination of link files on a computer can help determine information about the USB thumb drive, such as the make and model, and even the volume serial number of the USB thumb drive. Every USB thumb drive has a unique volume serial number. This information can then in turn be used to provide sufficient proof of the need to get the USB thumb drive for examination. Figure 32.2 shows a screenshot in EnCase forensics software of a link file’s volume serial number.

In this chapter we learned the purpose of link files, which are created by the Windows operating system to make a computer user’s experience more enjoyable by making files easier to access with features like desktop shortcuts and recent items. We learned that link files point to other files in different locations. We also learned that link files can be valuable as evidence in a case to build timelines, find out how a file has traveled from one device to another, determine if a file has ever been opened, or see if a deleted file existed on a computer at one point in time.