When it comes to lnk file analysis, we should put more emphasis on the volume serial number. It could help forensic guys to identify whether files exist(ed) on certain volume or not. Let's take a look at lnk files as below:
1. Take a look at AndroidGestureSHA1.txt.lnk, and you could see the vol serial is "149F-651D". Also you could use DOS command "vol" to check it out. Yes, the volume serial number of my C partition is "149F-651D".
2. Next we take a look at EN2015061801.html.lnk. The vol serial is "B3A6-DB3C" and it's a Removable drive which volume name is "XPE".
3. But one thing which is very important: if you format the volume..guess what? Yes, the volume serial change after formatting. Let me show you the effect of formatting to volume serial number.
Before formatting the volume serial number is "B3A6-DB3C"
Now I format it.
After formatting the volume serial number becomes "7887-6B77"
Now you know that if the volume being formated and the volume serial number will change. Don't forget the effect of formatting to volume serial number. Take it into consideration whenever you analyze volume serial number association with another clues.