Notifications
Clear all
General (Technical, Procedural, Software, Hardware etc.)
3
Posts
2
Users
0
Reactions
623
Views
Topic starter
23/11/2018 11:06 am
Hello.
How exact to know whether the file was created on a certain PC or copied from other PC?
Some facts, e.g. GUID, SID Owner, Author can be changed depends on PC where this file was opened. Thus, they didn't give exact information where a file was created.
Thanks in advance.
23/11/2018 12:09 pm
If we're talking NTFS, take a look at the $Logfile and if it is active, the $UsnJrnl.$J file.
The USN journal is a great source of evidence and may allow you to track a file's history on the volume in question by its MFT file identifier.
Topic starter
23/11/2018 1:25 pm
I agree with you the USN journal is a great resource of information but it will not show where a file was created. They can show that a file existed or existed in past. Maybe I'm wrong.