Uncategorized

Tracking screenshots with LNK files

Phill Moore1 Comment

At some point in history, Microsoft introduced Snipping Tool. The world rejoiced as a simple screenshot tool was added to Windows that allowed for screenshots of sections of the screen that was easier than pressing Print-Screen and opening Paint.

Unfortunately, Microsoft decided to deprecate Snipping tool in later versions of Win10, instead pushing people onto the (in my opinion) less user friendly “Snip-n-Sketch”. However, not all is lost with the change, and in fact, forensic artefacts are gained!

I tried to think of a pun for a title, I was unsuccessful. Insert semi relevant picture!

Leaving Breath of the Wild's Great Plateau Is the Ultimate Call to Adventure
Photo credit: Escapist Magazine

Snipping Tool

I took a screenshot with ‘Snipping tool’ and that didn’t create a LNK file. The contents of the screenshot were put in the clipboard, which is the default setting (so if clipboard sync was on it would likely be written to disk and stored in memory).

After the screenshot is taken it opens a new window showing the picture, and when the screenshot is saved, a new file is created and the forensic artifacts associated should be populated. From a LNK perspective, there will be a new LNK file created with its parent folder and the MAC times for both the LNK and the Target should match.

LNK file created from saving a screenshot from Snipping tool

‘Snip & Sketch’

‘Snip & Sketch’ is its own application, and it also has a shortcut key (Win+Shift+S). Interestingly, taking a screenshot with the shortcut key results in a notification being displayed in the bottom right but no automatically created LNK files. If the user was to click on the notification that is displayed, then the picture will open in ‘Snip & Sketch’, which generates a LNK file indicating the source is ‘Toast’ (as in notification).

More interestingly, taking a screenshot through the application results in a LNK file without interaction!

Parsing this with LECMD gives me a Source Created and Modified time that matches when I took the screenshot. The filename itself doesn’t seem to show much of interest – the GUIDs may be of interest but I haven’t looked into them in too much detail. You can also parse the 1c7a9be1b15a03ba Jumplist and you’ll get the same LNK entries.

If you go through the app to the point of taking a screenshot, but then don’t follow through, you will still get a LNK file but it won’t have the GUIDs.

Overall, it seems that the ‘Snip & Sketch’ app is what generates the LNK file.

What was the screenshot though?

As an addendum – ‘Snip & Sketch’ is a Windows app, and so I had a look in the Appdata\Local\Packages folder:

C:\Users\User\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe

While there are a few folders in here, the main one that has content is the TempState folder. What was crazy was this contained the screenshots that I took but never saved to disk.

I have no idea why this is here or how long these files are retained for – they survive a restart, so there’s probably some arbitrary process that clears them out.

Some research online suggests that some additional screenshots may exist in a seperate location, however I couldn’t recreate what were in the posts.

There’s a lot of intricacies left to learn in the Windows operating system – nothing is a solved problem!

References:

Snip & Sketch Autosave Location – https://www.reddit.com/r/Windows10/comments/iv8gf8/snip_sketch_autosave_location/

One thought on “Tracking screenshots with LNK files

Leave a comment