The meaning of time...
 
Notifications
Clear all

The meaning of time in the ObjectID/GUID in the LNK file

5 Posts
4 Users
0 Likes
1,406 Views
(@mansiu)
Posts: 83
Trusted Member
Topic starter
 

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file. I can see quite a lot documents stating that the ObjectID is indeed a GUID following the UUID v1.

But when I look at the time in the ObjectID, I found no meaning of the time, it is neither the creation of the target nor the LNK file. The time is usually few hours before the file's first opening. Also have been searching with FSCTL_CREATE_OR_GET_OBJECT_ID but still have no clues.

I tried with some samples, downloaded some graphics and open it, then LNK file created in the Recent folder.

Anyone has any information on this, please kindly share.

Thanks

 
Posted : 06/04/2016 6:33 pm
(@athulin)
Posts: 1156
Noble Member
 

I have been trying to understand the meaning of time embedded in the ObjectID in the LNK file.

It's not clear what you are referring to. There's nothing named 'ObjectId' in [MS-SHLLNK] (i.e. https://msdn . microsoft . com/en-us/library/dd871305.aspx) … which I would expect to be the normative reference for terminology.

Is this some particular tool usage that you are referring to, or … is it one of the other fields?

 
Posted : 06/04/2016 9:19 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

 
Posted : 06/04/2016 9:36 pm
(@mansiu)
Posts: 83
Trusted Member
Topic starter
 

The ObjIB time is the time the computer was last booted

There is an article at the link below that I wrote about 5 years ago, some links for further info at the end of it.

http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

Thank you so much

 
Posted : 07/04/2016 2:14 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This blog post

http//windowsir.blogspot.com/2011/12/jump-list-analysis.html

…then takes us here…

http//www.faqs.org/rfcs/rfc4122.html

Creating a timeline from a VM, and including this data, will very likely give you your answer.

 
Posted : 07/04/2016 5:04 pm
Share: