Forums
Main Category
General (Technical,...
The meaning of time...
 
Notifications
Clear all

The meaning of time in the ObjectID/GUID in the LNK file

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 9 years ago
5 Posts
4 Users
0 Reactions
2,319 Views
RSS
 mansiu
(@mansiu)
Trusted Member
Joined: 16 years ago
Posts: 83
Topic starter 06/04/2016 7:33 pm  

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file. I can see quite a lot documents stating that the ObjectID is indeed a GUID following the UUID v1.

But when I look at the time in the ObjectID, I found no meaning of the time, it is neither the creation of the target nor the LNK file. The time is usually few hours before the file's first opening. Also have been searching with FSCTL_CREATE_OR_GET_OBJECT_ID but still have no clues.

I tried with some samples, downloaded some graphics and open it, then LNK file created in the Recent folder.

Anyone has any information on this, please kindly share.

Thanks


   
Quote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
06/04/2016 10:19 pm  

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file.

It's not clear what you are referring to. There's nothing named 'ObjectId' in [MS-SHLLNK] (i.e. https://msdn . microsoft . com/en-us/library/dd871305.aspx) … which I would expect to be the normative reference for terminology.

Is this some particular tool usage that you are referring to, or … is it one of the other fields?


   
ReplyQuote
PaulSanderson
 PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
06/04/2016 10:36 pm  

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved


   
ReplyQuote
 mansiu
(@mansiu)
Trusted Member
Joined: 16 years ago
Posts: 83
Topic starter 07/04/2016 3:14 pm  

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

Thank you so much


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
07/04/2016 6:04 pm  

This blog post

http//windowsir.blogspot.com/2011/12/jump-list-analysis.html

…then takes us here…

http//www.faqs.org/rfcs/rfc4122.html

Creating a timeline from a VM, and including this data, will very likely give you your answer.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: