Hello Reader,
A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here: https://github.com/forensicmatt/WinObjectIdParser
Here is what we learned:
A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here: https://github.com/forensicmatt/WinObjectIdParser
Here is what we learned:
- Deleting a file from the command line causes the ObjectID Index to delete the file entry
- Deleting a file from the GUI causes the ObjectID Index to delete the file entry
- That the deletion appears to clean and too quick, leading me to suspect that there is more going on here
On Monday I expect to resume this line of questioning with a hex editor (likely 010) and some offset tracking as we look to solve the mystery of the deleted ObjectID records.
You can watch the video here:
Also Read: Daily Blog #504
Post a Comment