When browsing the timeline created by analysing the MFT, LNK files can signify the opening of files at specific points in time.
On modern versions of Windows, the last accessed time is not always updated when opening a file, (namely if NtfsDisableLastAccessUpdate is set to 1, which is the current default for Windows 7-10), but the LNK file will be.
The creation time of the LNK file is the first time the file is opened, and the last accessed/last modified is when that file was closed. For additional details, check out this article: https://www.hecfblog.com/2013/08/daily-blog-52-understanding-artifacts.html
If you find an interesting LNK file, chances are that it is stored insde the MFT itself, due to it’s small filesize. You can use ntfswalk from TZWorks to extract it from an image, based on the filename, like this:
ntfswalk64.exe -partition <driveletter> -filter_name <nameoffile> -action_copy_files <foldertocopyto>
You can then use Eric Zimmerman’s LECmd (https://github.com/EricZimmerman/LECmd to parse the content of it, showing the timestamps of both the linked file, and the LNK file itself.