• LinkAlyzer - has this file been moved?

    How do I determine whether a file has been moved from one volume to another

    One of the structures found in some link files is the ObjectID, these structures relate to Distributed Link Tracking (see further reading below). Microsoft has in certain circumstances chosen to embed data within link files for use with its this Distributed Link Tracker Service. This information includes data relating to the original machine on which the target was created the birth machine and the current machine. There are four relevant structures:


    • NewVolID
    • NewFileOID
    • BirthVolID
    • BirthFileOID


    Each of these structures is made up of two GUIDs the VolumeID and the ObjID. Both are shown within LinkAlyzer but it is the ObjID that is of interest to forensic examiners. RFC4122 Document X.667 from the International Telecommunication Union best explains the structure of an OID. Essentially it is formed of the following fields:

    A time stamp (NewDate BirthDate)

    This is the system time at the time that the computer was booted.

    Version (NewVersion BithVersion)

    Determines the type of OID type 1 is a time based OID. It has no significance for an investigation. This field is hidden in LinkAlyzer by default.

    Variant (NewVariant BirthVariant)

    This should normally be 2 for an OID as described here, but has no significance for an investigation. This field is hidden in LinkAlyzer by default.

    Sequence (NewSequence BirthSequence)

    A number that should be incremented when the clock is set back or the computer is rebooted. In practice large increments to the sequence number are sometimes seen, but it is important to remember that this number should only increment (until of course it wraps back to zero).

    The variant is taken from the last 14 bits of the registry key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\UuidSequ enceNumber

    Mac Address (NewMac BirthMac)

    The MAC address of the primary network adapter of the appropriate computer. Note that there is anecdotal evidence that this can sometimes, for instance, be the MAC address of any adapter connected to a system such as a mobile phone.




    To create the example in the screen shot below I:

    • created new MS Word document on my drive C:
    • opened it (creating a link file in my Recent Docs folder)
    • Closed it and moved it (cut and paste) to D:\
    • I then reopened the file (updating the link file)


    LinkAlyzer automatically highlights any NewVolID that does not match its associated BirthVolID. In the screen shot below I have reordered the columns to show some of the relevant data adjacent to each other.




    The link file has an BirthVOLID and NewVOLID that reflect the original and new volumes.

    An examination of Attribute 0x40 using RevEnge of the MFT entry for the $volume file shows the Volume ID for drive C: in the screen shot below. The same experiment can be done for the Volume ID for drive D:.




    This link file therefore, while referring to a file on drive D: can show that the file originally resided on drive C:





    Further reading

    MS-SHLLINK Shell Link Binary Format
    http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx

    The meaning of Link Files in Forensic Examinations Harry Parsonage
    http://computerforensics.parsonage.c...ningofLIFE.pdf


    RFC 4122 A universally Unique Identifier (UUID) URN
    http://www.ietf.org/rfc/rfc4122.txt

    MS-DLTW Distributed Link Tracking: Workstation Protocol Specification
    http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx

    MS-DTLM - Distributed Link Tracking: Central Manager Protocol Specification
    http://msdn.microsoft.com/en-us/libr...(PROT.13).aspx

    Information technology Open Systems Interconnection Procedures for the operation of OSI Registration Authorities: Generation and registration of Universally Unique Identifiers (UUIDs) and their use as ASN.1 object identifier components
    http://www.itu.int/ITU-T/studygroups...id/X.667-E.pdf

    CDE 1.1: Remote Procedure Call
    http://www.opengroup.org/onlinepubs/9629399/apdxa.htm