Daily Blog #475: Forensic Lunch Test Kitchen 9/11/18 ObjectIDs

ObjectIDs by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
       Another Forensic Lunch Test Kitchen this evening with a deeper look into ObjectIDs.

We covered:

  • The fact that the suffix of an ObjectID is the MAC address of the primary network interface as described in Harry Parsonage's paper (http://computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf)
  • The fact that the prefix of an ObjectID is a timestamp showing when the ObjectID was set
  • The fact that opening a file updates a LNK file but does not change the ObjectID
  • The fact that opening a file whose ObjectID was set one one system does not update the ObjectID when the same file is opened on the same volume on another system
  • The fact that changing attributes, permissions and ADS values does not update the ObjectID
Hear and see more in the video below:

Also Read: Daily Blog #474

Post a Comment