Daily Blog #494: Forensic Lunch Test Kitchen 10/1/18 - Discussion on ObjectID Attributes of files in the MFT

- Discussion on ObjectID Attributes of files in the MFT by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
         Tonight the test kitchen continued to plumb the depths of ObjectID attributes of files in the MFT. What did we learn tonight?

We learned that:

  • The perceived duplicate timestamps from the decoded object ids were for the most part due to lack on granularity in nano seconds, when the raw values were added there were more unique values

  • That some files appear to have the same objectid and are related (the same exe file, lnk file pointing to the same resource) meaning we need to look at the MFT attributes to see if they are hard links to the same file

  • That changing the clock back will not change the base clock time used to generate ObjectIDs and sorting by the ObjectID timestamp will show you the correct order a file was created/interacted with (depending on the version of Windows) regardless of the time set by the user
We left off with a test of the sequence numbers as my VM had a Windows 10 update pending. We will continue tomorrow night!

You can watch the broadcast here:

Also Read: Daily Blog #493

Post a Comment