Daily Blog #511: Forensic Lunch Test Kitchen 10/18/18

Hello Reader,
             Back to the test kitchen tonight! While tonight's broadcast was a later than normal (showed the kids the few episode of the new Doctor Who season) we did have some good testing done. Tonight we tested my theory of what was recoverable from an external drive formatted NTFS in regards to ObjectIDs. The theory being that we could use the existence of ObjectIDs to show that files were interacted with after being copied, which is important since access dates are no longer updated when a file is opened on a NTFS drive since Windows Vista.

Tonight we learned:

  • ObjectID attributes are set on files accessed from external fixed disks
  • The /$Extend/$ObjID:$O Index root is created when a drive is formatted
  • The $ObjID:$O Index allocations are not populated on the external drive when objects are created within the file system
  • The $logfile will create a record storing the ObjectID that was set, when it was set or changed
  • The $UsnJrnl:$J will contain a timestamped record showing when objectids were set allowing an examiner to timeline when the actions took place
  • With the $logfile records you could determine which Mac address opened the files, when the objectid was set and when the file was deleted
  • With the $usnjrnl records you could determine when the objectid was set and when/if the file was deleted
You can watch the video here:

Post a Comment