SecureArtisan

My Road to Digital Forensics Excellence

LNK File Testing

Posted by Paul Bobby on February 23, 2010

So have you read the Meaning of LIFE by Harry Parsonage?

Well I have, and I started testing the observations made therein. This is a very good paper, especially the section regarding ObjectIDs. I sometimes feel that they are overlooked, especially in the flavor-of-the-month timeline analysis discussions that are happening now.

However I’ve been slowly testing each observation under a number of different scenarios; let’s start with Observation Two.

Once a link file has been created for a target file with a given filename, during the lifetime of that link file, if another target file of the same name is accessed from a different location, the original file for that given filename is updated.

So, for example, create c:\test.txt, open it and add some text, then close. Double click this file in explorer, and you should get a test.txt link file created in your recent folder. Close the text file. This time create a new file on your desktop called test.txt. Open it, add some text, and then close. That test.txt link file now points to the second one.

My goal in testing was to discover if there is a way to determine if the link file is pointing to the very first target file that caused the link file to be created.

I confirmed, as Harry did, that the sequence ID of the MFT record of the link file increments whenever the link file points to a new target file with the same filename. So my hypothesis is, if the sequence ID of the MFT record is 1, then we can conclude that the link file is pointing to the first

Test setup

  1. Thumb drive formatted NTFS, write caching disabled
  2. Drive mounted to E:\, test files test.txt are present on E:\ and C:\
  3. Retrieve the File Identifier and Sequence ID of the Recent\test.txt.lnk

Test sequence

  1. Open E:\test.txt
  2. FileID/SequenceID: 89278, 20
  3. Open C:\test.txt
  4. FileID/SequenceID: 89278, 21
  5. Open E:\test.txt
  6. FileID/SequenceID: 3313, 119
  7. Open C:\test.txt
  8. FileID/SequenceID: 3313, 120
  9. Open E:\test.txt
  10. FileID/SequenceID: 3313, 121

Simply opening ‘test.txt’ from different locations causes the test.txt.lnk file to be updated and point to the new target file. What I discovered is not only does the Sequence ID get updated, but also an entirely new MFT record could be used! Not sure why. Well that blows my hypothesis out of the water.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: