±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 36303
New Yesterday: 2 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

The meaning of time in the ObjectID/GUID in the LNK file

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mansiu
Senior Member
 

The meaning of time in the ObjectID/GUID in the LNK file

Post Posted: Apr 06, 16 18:33

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file. I can see quite a lot documents stating that the ObjectID is indeed a GUID following the UUID v1.

But when I look at the time in the ObjectID, I found no meaning of the time, it is neither the creation of the target nor the LNK file. The time is usually few hours before the file's first opening. Also have been searching with FSCTL_CREATE_OR_GET_OBJECT_ID but still have no clues.

I tried with some samples, downloaded some graphics and open it, then LNK file created in the Recent folder.

Anyone has any information on this, please kindly share.

Thanks  
 
  

athulin
Senior Member
 

Re: The meaning of time in the ObjectID/GUID in the LNK file

Post Posted: Apr 06, 16 21:19

- mansiu
I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file.


It's not clear what you are referring to. There's nothing named 'ObjectId' in [MS-SHLLNK] (i.e. msdn . microsoft . com/en-us/library/dd871305.aspx) ... which I would expect to be the normative reference for terminology.

Is this some particular tool usage that you are referring to, or ... is it one of the other fields?  
 
  

PaulSanderson
Senior Member
 

Re: The meaning of time in the ObjectID/GUID in the LNK file

Post Posted: Apr 06, 16 21:36

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

sandersonforensics.com...been-moved
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

mansiu
Senior Member
 

Re: The meaning of time in the ObjectID/GUID in the LNK file

Post Posted: Apr 07, 16 14:14

- PaulSanderson
The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

sandersonforensics.com...been-moved


Thank you so much  
 
  

keydet89
Senior Member
 

Re: The meaning of time in the ObjectID/GUID in the LNK file

Post Posted: Apr 07, 16 17:04

This blog post:

windowsir.blogspot.com...lysis.html

...then takes us here...

www.faqs.org/rfcs/rfc4122.html


Creating a timeline from a VM, and including this data, will very likely give you your answer.  
 

Page 1 of 1