Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18 - Deleting Files from ObjectID Index found at /$Extend/$ObjID:$O

Deleting Files from ObjectID Index found at /$Extend/$ObjID:$O by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
            A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt Seyer found here: https://github.com/forensicmatt/WinObjectIdParser

Here is what we learned:

  • Deleting a file from the command line causes the ObjectID Index to delete the file entry
  • Deleting a file from the GUI causes the ObjectID Index to delete the file entry
  • That the deletion appears to clean and too quick, leading me to suspect that there is more going on here
On Monday I expect to resume this line of questioning with a hex editor (likely 010) and some offset tracking as we look to solve the mystery of the deleted ObjectID records. 

You can watch the video here:


Also Read: Daily Blog #504

Post a Comment