Monday, September 17, 2018

Daily Blog #481: Event Logs for VHDs

Hello Reader,
               I was going back through default event logs when I ran across an event log for VHD actions that was described in Harlan Carvey's Windows Forensic Analysis Toolkit. There is an event log named "Microsoft-Windows-VHDMP-Operational.evtx"n that contains entries from creating, provisioning and mounting/unmounting VHDs.

If I was aware of this I must have forgotten but it was something I thought would be useful for the future so I decided to document it here.  Here is an example of a VHD being attached to my Windows 10 system.

Sunday, September 16, 2018

Daily Blog #480: Sunday Funday 9/16/18

Hello Reader,
          I'm going to change things around for this weeks challenge, lets put things back to research and less about coding and see how you do. 

The Prize:
$100 Amazon Giftca

The Rules:

  1. You must post your answer before Friday 9/21/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
On Windows 7 test and document how you can get ObjectIDs to:
1. Populate
2. Change
3. Get preserved

Good luck!

Saturday, September 15, 2018

Daily Blog #479: Solution Saturday 9/15/18

Hello Reader,
       This week I didn't get any working entries for the challenge, meaning I'll just put up the code to do it on Monday. Otherwise make sure to try and submit nextbweek your hesitation might have cost you $100!

Friday, September 14, 2018

Daily Blog #478: Github repository for the Test Kitchen

Hello Reader,
        I went ahead and added a Github repository for the ObjectID scanner I was showing on the Test Kitchen last night. You can get the script here:

This scripts requires that you have installed:
Python 3.6 or newer

And you can follow this repository to get all future scripts I show on future episodes of the Test Kitchen:

Test this on your own system and let me know if you find something I missed!

I fly out to London tomorrow and look forward to continuing the research there. 

Thursday, September 13, 2018

Daily Blog #477: Forensic Lunch Test Kitchen 9/13/18 ObjectID Decoded and timestamps tested

Hello Reader,
        Our Forensic Lunch Test Kitchen series continues! Tonight we decoded the Object ID values into their timestamps, sequences, versions, variant and mac addresses to try to understand more about what the values mean.

We found that:

  • As Maxim Suhanov ( stated the time values used to construct the ObjectID UUIDs are cached. Meaning that the timestamp decoded does not indicate when the ObjectID was created and the timetamps will increment by miliseconds between ObjectID creations in the same boot
  • That the seed of the cached timestamp is the system boot time, so at every reboot the cached time that serves are the earliest possible ObjectID time will update to the boot time as recorded in the system event logs
  • That the sequence number does appear to increment overall but this needs further testing
  • That the $Volume ObjectID attribute is actually the VolumeID referenced by the ObjectID index
You can watch it here:

Daily Blog #476: Forensic Lunch Test Kitchen 9/12/18 ObjectID Default Behavior

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

Tuesday, September 11, 2018

Daily Blog #475: Forensic Lunch Test Kitchen 9/11/18 ObjectIDs

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below: