Thursday, October 11, 2018

Daily Blog #504: Forensic Lunch Test Kitchen 10/11/18

Hello Reader,
          Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while I pontificated that it would. It turns out ... it does! We then extracted and encoded the local objectid database (/$extend/$objid:$o) and parsed it to find out which systems had which dad.

Here is what we learned:

  • Opening a file from a Windows 10 system on a Windows 7 file share creates an ObjectID that both systems can see
  • The ObjectID contains the volume id and mac address of the file server (the windows 7 system in my testing)
  • The ObjectID database on the Windows 7 system contains the objectid of the file accessed
  • The ObjectID database on the Windows 10 system does not contain the objectid of the file accessed
  • The windows 10 system will create a lnk file for the access
  • The windows 7 system does not create a lnk file for the file being accessed from it as a network share
  • Creating a file in Windows 10 in the GUI will trigger an ObjectID being created on a network share hosted by a Windows 7 system
You can watch the video here: