HI,
Current case focus is on link files pointing to two different volume serial numbers with the same volume name. We received the most current volume but there was one link file that had the previous volume serial number that was updated the day before the computer was imaged.
The link had created date of 1/17/10 with last accessed and last written of 9/6/11. So, when the link was last written does the link maintain the previous volume serial or would the link be updated with the current volume serial?
Dep is very close so reaching out in hopes that others might know the answer.
Thanks.
The VSn should not chage after drive is formatted ( although it can be manually changed or with a utility). This could be where a drive was replaced and files copied in. Look for other files that exhibit this.
You could easliy test by grabbing one of the utilities that allow you to change VSN and testing against a file. Create under original VSN then change VSN and open and write to file again, see if it overwrites original VSN.
I have not tested but I do not believe changing the volume label affects the VSN. Some software vendors used VSN to enforce rudimentary copy protection.
Don't think it's a question of same drive different VSN. Agree the VSN generated when formatted and stays consistent. The issue is multiple drives.
Looking for a verification that when a link file was tied to (created on) a previous VSN and files are copied to another drive that when the link file is written to again on a drive with a different VSN, it picks up the VSN of the drive where the file now exists. OS is XP and this is activity on the system drive, not USB thumb drives.
Is the file system NTFS? Is there an Object ID in the link file?
If so the there is information stored within the link file from the Microsoft distributed link tracking system.
I wrote a short article here about 18 months ago that might help
http//
I can't quite appreciate why you ask the question in the way you have framed it, if I were to answer the question and you are going to give evidence relating to it then you are not going to be able to say I asked on FF and was told xyz.
It is something that you need to test yourself so you can explain how and why you came to the conclusion you did. If you don't do this I can't see how you can put it in any statement or deposition?
H