Join Us!

The meaning of time...
 
Notifications
Clear all

The meaning of time in the ObjectID/GUID in the LNK file  

  RSS
mansiu
(@mansiu)
Member

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file. I can see quite a lot documents stating that the ObjectID is indeed a GUID following the UUID v1.

But when I look at the time in the ObjectID, I found no meaning of the time, it is neither the creation of the target nor the LNK file. The time is usually few hours before the file's first opening. Also have been searching with FSCTL_CREATE_OR_GET_OBJECT_ID but still have no clues.

I tried with some samples, downloaded some graphics and open it, then LNK file created in the Recent folder.

Anyone has any information on this, please kindly share.

Thanks

Quote
Posted : 06/04/2016 7:33 pm
athulin
(@athulin)
Community Legend

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file.

It's not clear what you are referring to. There's nothing named 'ObjectId' in [MS-SHLLNK] (i.e. https://msdn . microsoft . com/en-us/library/dd871305.aspx) … which I would expect to be the normative reference for terminology.

Is this some particular tool usage that you are referring to, or … is it one of the other fields?

ReplyQuote
Posted : 06/04/2016 10:19 pm
PaulSanderson
(@paulsanderson)
Senior Member

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

ReplyQuote
Posted : 06/04/2016 10:36 pm
mansiu
(@mansiu)
Member

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

Thank you so much

ReplyQuote
Posted : 07/04/2016 3:14 pm
keydet89
(@keydet89)
Community Legend

This blog post

http//windowsir.blogspot.com/2011/12/jump-list-analysis.html

…then takes us here…

http//www.faqs.org/rfcs/rfc4122.html

Creating a timeline from a VM, and including this data, will very likely give you your answer.

ReplyQuote
Posted : 07/04/2016 6:04 pm
Share: