Thursday, September 13, 2018

Daily Blog #476: Forensic Lunch Test Kitchen 9/12/18 ObjectID Default Behavior

Hello Reader,
         Another night, another test kitchen! Tonight I try to remove my observation bias from the past episodes but modifying the code in my Automating DFIR with Pytsk series to extract ObjectID attributes from files and directories in the MFT. To do this I wrote and troubleshot a python script in Python 3 which I'm trying to force myself to convert to that recurses through a live volume and prints out all the Object IDs that exist.

What we learned:

  • Some system files have what appear to be invalid MAC addresses from the file creation
  • Some user directories have ObjectIDs
  • Some installed programs have MAC addresses from their original developers
  • Some Windows system32 executables have ObjectIDs and in Windows 7 have the original MAC addresses
Watch the video below to learn more:

No comments:

Post a Comment