detail of the specifications as several alternative values to the MAC address may be used for this part
of the ObjectID.
I have discussed just a few of the lesser well known parts of the link file but there is a lot more
information contained within every link file; Microsoft has made the structure of the link file
available as part of the MSDN Open Specifications.(7)
How can all this information help me in the examination of a computer?
The first consideration is how to extract the information from the link files. It may be manageable to
manually decode a small number of link files but if you want to recover information from all the link
files on a computer then an automated process will be required. Your forensic software will probably
be able to extract the main details such as file path, volume name and volume serial number of the
target file, but to get maximum value from the link files you may need more.
Sanderson Forensics’ LinkAlyzer program (8) will carve link files from Disk/Volume/Folder/Encase
Image and parse out the details contained within the link file (times and dates, paths, etc) and also
decode ObjectIDs presenting the MAC address, time and sequence number.
There is an Enscript available from the Guidance Enscript Resource Centre (9) which extracts
ObjectIDs from the MFT and reports the date, sequence, MAC address, associated filename and MFT
record of each ObjectID. A sample output from this script is shown below –
------------Case: MyTestCase-------------------------------------------
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\ComputerTriage.doc FileID: 38)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\ComputerTriage.docx FileID: 39)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\12345.bmp FileID: 40)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\123456.bmp FileID: 41)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\1234567.bmp FileID: 35)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\Scan 004.jpg FileID: 36)
28/Sep/09 07:03:29 Seq: 1944 Mac: 00-50-56-C0-00-08 (Entry: MyTestCase\MyDriveImage\screenshot.bmp FileID: 37)
------------------------------------------------------------------------
Perhaps you have a loose hard drive and you want to identify which computer it was installed in.
The presence of MAC addresses in ObjectIDs can be a useful forensic artefact in cases where it is
necessary to identify the originating computer of loose hard drives, or identify periods when a hard
drive has been moved between computers.
If the file system is NTFS then the ObjectID in the link files will contain a MAC address from which
you may be able to identify the computer that the hard drive was connected to.
If you suspect the hard drive was moved between computers, again you might be able to identify the
periods during which it was in different computers from the MAC addresses in the ObjectIDs.
It is interesting to note that the MAC address in the ObjectID will generally be that of the primary
network card; however other MAC addresses have been observed. For example when a mobile
phone (Windows Mobile OS) is connected to the host computer via Active Sync the MAC address of
the phone has been observed to be used in the creation of the ObjectIDs rather than that of the