Where file was crea...
 
Notifications
Clear all

Where file was created

3 Posts
2 Users
0 Likes
429 Views
(@eugene_777)
Posts: 22
Eminent Member
Topic starter
 

Hello.
How exact to know whether the file was created on a certain PC or copied from other PC?
Some facts, e.g. GUID, SID Owner, Author can be changed depends on PC where this file was opened. Thus, they didn't give exact information where a file was created.

Thanks in advance.

 
Posted : 23/11/2018 10:06 am
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

If we're talking NTFS, take a look at the $Logfile and if it is active, the $UsnJrnl.$J file.

The USN journal is a great source of evidence and may allow you to track a file's history on the volume in question by its MFT file identifier.

 
Posted : 23/11/2018 11:09 am
(@eugene_777)
Posts: 22
Eminent Member
Topic starter
 

I agree with you the USN journal is a great resource of information but it will not show where a file was created. They can show that a file existed or existed in past. Maybe I'm wrong.

 
Posted : 23/11/2018 12:25 pm
Share: