Daily Blog #496: Forensic Lunch Test Kitchen 10/3/18 - Our exploration of ObjectIDs within the MFT

Our exploration of ObjectIDs within the MFT by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
      Today we come close to a conclusion on our exploration of ObjectIDs within the MFT. We went in and both extracted MFT attributes with pytsk as well as ran/validated the same information with mftecmd to determine why we had duplicate objectids in our file system.

We learned that:

  • Duplicate ObjectIDs appear to happen in hard links to the same file
  • Every Duplicate ObjectID that we tested had the same file entry and sequence number meaning it was the same file
  • Python has a cool function called dir() which will show you all of the available methods that an object has
You can watch the video here:


Also Read: Daily Blog #495

Post a Comment