Hello Reader,
Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while I pontificated that it would. It turns out ... it does! We then extracted and encoded the local objectid database (/$extend/$objid:$o) and parsed it to find out which systems had which dad.
Here is what we learned:
Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while I pontificated that it would. It turns out ... it does! We then extracted and encoded the local objectid database (/$extend/$objid:$o) and parsed it to find out which systems had which dad.
Here is what we learned:
- Opening a file from a Windows 10 system on a Windows 7 file share creates an ObjectID that both systems can see
- The ObjectID contains the volume id and mac address of the file server (the windows 7 system in my testing)
- The ObjectID database on the Windows 7 system contains the objectid of the file accessed
- The ObjectID database on the Windows 10 system does not contain the objectid of the file accessed
- The windows 10 system will create a lnk file for the access
- The windows 7 system does not create a lnk file for the file being accessed from it as a network share
- Creating a file in Windows 10 in the GUI will trigger an ObjectID being created on a network share hosted by a Windows 7 system
You can watch the video here:
Also Read: Daily Blog #503
Post a Comment