I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file. I can see quite a lot documents stating that the ObjectID is indeed a GUID following the UUID v1.
But when I look at the time in the ObjectID, I found no meaning of the time, it is neither the creation of the target nor the LNK file. The time is usually few hours before the file's first opening. Also have been searching with FSCTL_CREATE_OR_GET_OBJECT_ID but still have no clues.
I tried with some samples, downloaded some graphics and open it, then LNK file created in the Recent folder.
Anyone has any information on this, please kindly share.
Thanks
I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file.
It's not clear what you are referring to. There's nothing named 'ObjectId' in [MS-SHLLNK] (i.e. https://msdn . microsoft . com/en-us/library/dd871305.aspx) … which I would expect to be the normative reference for terminology.
Is this some particular tool usage that you are referring to, or … is it one of the other fields?
The ObjIB time is the time the computer was last booted
There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.
http//
The ObjIB time is the time the computer was last booted
There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.
http//
sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved
Thank you so much
This blog post
http//
…then takes us here…
http//
Creating a timeline from a VM, and including this data, will very likely give you your answer.