NTFS Object IDs related to user activity (W11 and Windows Server 2022)

The NTFS system file $ObjID contains records (entries) of identifiers that Windows use for tracking. In these records the MFT record number is included, making it possible to connect each index entry with the corresponding file record. This system file is created on any NTFS volume, also external devices. The ObjectIDs contains a timestamp for last boot for the boot session the Object ID entry was created. It also contains a node address that is either a valid MAC address from the computer used when the Object ID was created, or a random value. In this dataset we have exported the $MFT and the $ObjID Index Allocation Attribute named $O. We wanted to see how indexes were created on Installation and based on user activity. We also wanted to see if there were differences between internal and external hard drives ( usb-stick or usb-disk). In some of the folders within this dataset there is a file named log.txt which defines the use case for that scenario. Others have a folder name that describe the use case. Notable findings: USB sticks do not include the Object ID for the file $Volume, which also means all indexes will be missing the Birth Volume Object ID. External USB hard drives will be assigned an Object ID for the $Volume file if attached once during a reboot of the computer. Internal hard drives will also be assigned an Object ID for the $Volume system file. Whenever a NTFS volume is assigned an Object ID for the $Volume system files, the indexes will also be assigned Birth Volume Object IDs. If Object IDs were created before the device was assigned the Object ID, the result is index entries with only an Object ID, where both Birth Volume Object ID, Birth Object ID is set to zero. However new Object ID entries after the Object ID was assigned to the $Volume will be assigned Object ID, Birth Volume Object ID, and Birth Object ID. The Domain Object ID seems to not be in use. User activity using File Explorer, Libre Office, MS Office, and more will create Object ID entries on files that are not assigned any previous Object ID. We suggest using the Object IDs to focus on the files that have indications of user activity during any investigations. By using the Object IDs we can in most cases connect external devices to the computers used to create the Object IDs, and we can identify when these computers were booted. Please refer to the paper Using the object ID index as an investigative approach for NTFS file systems (Nordvik et al., 2019) at https://doi.org/10.1016/j.diin.2019.01.013 for more information about the Object ID index. Use the prototype tool NTFSObjIDParser from https://github.com/RuneN007/NTFSObjectIDParser to parse this dataset by opening $MFT and $O files from each subfolder.