NTFS Object IDs related to user activity (W11 and Windows Server 2022)

The NTFS system file $ObjID contains records (entries) of identifiers that Windows use for tracking. In these records the MFT record number is included, making it possible to connect each index entry with the corresponding file record. This system file is created on any NTFS volume, also external devices. The ObjectIDs contains a timestamp for last boot for the boot session the Object ID entry was created. It also contains a node address that is either a valid MAC address from the computer used when the Object ID was created, or a random value. In this dataset we have exported the $MFT and the $ObjID Index Allocation Attribute named $O. We wanted to see how indexes were created on Installation and based on user activity. We also wanted to see if there were differences between internal and external hard drives ( usb-stick or usb-disk). In some of the folders within this dataset there is a file named log.txt which defines the use case for that scenario. Others have a folder name that describe the use case. Notable findings: USB sticks do not include the Object ID for the file $Volume, which also means all indexes will be missing the Birth Volume Object ID. External USB hard drives will be assigned an Object ID for the $Volume file if attached once during a reboot of the computer. Internal hard drives will also be assigned an Object ID for the $Volume system file. Whenever a NTFS volume is assigned an Object ID for the $Volume system files, the indexes will also be assigned Birth Volume Object IDs. If Object IDs were created before the device was assigned the Object ID, the result is index entries with only an Object ID, where both Birth Volume Object ID, Birth Object ID is set to zero. However new Object ID entries after the Object ID was assigned to the $Volume will be assigned Object ID, Birth Volume Object ID, and Birth Object ID. The Domain Object ID seems to not be in use. User activity using File Explorer, Libre Office, MS Office, and more will create Object ID entries on files that are not assigned any previous Object ID. We suggest using the Object IDs to focus on the files that have indications of user activity during any investigations. By using the Object IDs we can in most cases connect external devices to the computers used to create the Object IDs, and we can identify when these computers were booted. Please refer to the paper Using the object ID index as an investigative approach for NTFS file systems (Nordvik et al., 2019) at https://doi.org/10.1016/j.diin.2019.01.013 for more information about the Object ID index. Use the prototype tool NTFSObjIDParser from https://github.com/RuneN007/NTFSObjectIDParser to parse this dataset by opening $MFT and $O files from each subfolder.

NTFS系统文件$ObjID 包含Windows用于追踪的标识符记录（条目）。此类记录中包含主文件表（Master File Table，MFT）的记录编号，借此可将每个索引条目与对应的文件记录建立关联。该系统文件会在所有NTFS卷（包括外接设备）上创建。对象ID（ObjectID）条目会记录创建该条目时的启动会话的最后启动时间戳，同时还包含节点地址：该地址既可以是创建对象ID时所用计算机的有效MAC地址，也可以是随机生成的值。 本数据集已导出$MFT与名为$O的$ObjID索引分配属性。研究团队旨在探究系统安装时及基于用户活动的索引生成方式，同时对比内置硬盘与外接硬盘（U盘或USB硬盘）之间的差异。本数据集部分子文件夹内包含log.txt文件，用于说明该场景的用例；其余子文件夹则通过文件夹名称直接描述对应用例。 核心发现如下：U盘不会为$Volume文件分配对象ID，这意味着所有索引均缺失卷出生对象ID。若外接USB硬盘在计算机重启期间被连接过一次，则会为$Volume文件分配对象ID；内置硬盘同样会为$Volume系统文件分配对象ID。每当NTFS卷的$Volume系统文件被分配对象ID时，其对应索引也会被赋予卷出生对象ID。若在设备被分配对象ID之前已创建对象ID，则生成的索引条目仅包含对象ID，且卷出生对象ID与出生对象ID均被设为0。而在$Volume被分配对象ID之后新建的对象ID条目，则会同时包含对象ID、卷出生对象ID及出生对象ID。域对象ID（Domain Object ID）似乎并未投入使用。 用户通过文件资源管理器、LibreOffice、Microsoft Office等工具进行操作时，会为此前未分配过对象ID的文件创建对象ID条目。我们建议在调查过程中，通过对象ID聚焦于存在用户活动痕迹的文件。借助对象ID，在大多数情况下可将外接设备与创建该对象ID的计算机建立关联，并确定这些计算机的启动时间。如需了解更多关于对象ID索引的信息，请参阅论文《Using the object ID index as an investigative approach for NTFS file systems》（Nordvik等人，2019），链接为https://doi.org/10.1016/j.diin.2019.01.013。 可使用原型工具NTFSObjIDParser（链接：https://github.com/RuneN007/NTFSObjectIDParser）解析本数据集，操作方式为打开每个子文件夹内的$MFT与$O文件。