Forums
Main Category
General (Technical,...
ObjID added to an M...
 
Notifications
Clear all

ObjID added to an MFT record

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by j2222 15 years ago
5 Posts
3 Users
0 Reactions
790 Views
RSS
PaulSanderson
 PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 20 years ago
Posts: 651
Topic starter 09/08/2011 1:27 am   [#7997]

I am looking at some MFT records in VSC's that have different MFT
modified dates. The only difference between the MFT records is that
current version of the MFT record has an objID stream and the older
entries (the ones in the VSC's) do not.

Does anyone have any ideas as to why/when an objID might be added to
an MFT entry?



   
Quote
joakims
 joakims
(@joakims)
Estimable Member
Joined: 16 years ago
Posts: 224
09/08/2011 3:21 am  

I've wondered about this myself. Found some links suggesting it has to do with Distributed Link Tracking..

Besides that, I have a comprehensive mft2csv app I'm working on and by inspecting the log, I notice that all files on my system with ObjectID set, has file permissions set to archive. I currently don't know what it means, but is what I've just found.



   
ReplyQuote
joakims
 joakims
(@joakims)
Estimable Member
Joined: 16 years ago
Posts: 224
09/08/2011 2:06 pm  

http//msdn.microsoft.com/en-us/library/aa363997(v=vs.85).aspx



   
ReplyQuote
PaulSanderson
 PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 20 years ago
Posts: 651
Topic starter 09/08/2011 2:41 pm  

Thanks Joackim - I am aware of that (this information was included in my program LinkAlyzer a long time ago - www.sandersonforensics.com/linkalyzer.html)

I am looking at reasons that an ObjID might be added to an MFT entry - creation of a link file is one, are there others?



   
ReplyQuote
 j2222
(@j2222)
Eminent Member
Joined: 21 years ago
Posts: 36
09/08/2011 7:18 pm  

How about the system indexer?



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: