Hello Reader,
In Hideaki Ihara's blog post on the port139 blog, he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.
Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.
In summary a Object ID won't be set even if a file is opened when:
In Hideaki Ihara's blog post on the port139 blog, he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.
Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.
In summary a Object ID won't be set even if a file is opened when:
- The file is being opened from a removable drive
- The file is being opened from a FAT drive
- The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
- The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted
I think we should do more testing with this but in all the above scenarios the shell item system would still record these accesses and the USN journal would show the lnk files and jump lists being updated. I like where Hideaki is going I just want to make sure people are aware of whats possible.
Also Read: Daily Blog #457
Post a Comment