Table of Contents
Overview
When using third party image mounting tools to perform forensic examinations of NTFS file-systems, it is extremely important to understand NTFS Junction Points so that you don't find yourself making a critical mistake during your analysis. An issue has been identified with third party image mounting software where NTFS junction points are hard linked to folders on the forensic investigator's own hard disk. If you use software to process a file-system (such as NetAnalysis® or Anti-Virus software) and that the file-system is mounted with junction points, the Operating System on the forensic workstation may point the software to folders which are not contained within the suspect volume. This leads to the extremely serious situation, where the investigator may inadvertently process their own file-system.
...
| Operating / File System |
|---|
 Microsoft Windows Vista with NTFS volumes |
| Microsoft Windows 7 with NTFS volumes |
| Microsoft Windows 8 with NTFS volumes |
Symbolic Links
Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. By using junction points, you can graft a target folder onto another NTFS folder or "mount" a volume onto an NTFS junction point. Junction points are transparent to software applications.
...
Unlike an NTFS junction point, a symbolic link can also point to a file or remote SMB network path. While NTFS junction points support only absolute paths on local drives, the NTFS symbolic links allow linking using relative paths. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems.
Junction Points
In Windows Vista, Windows Server 2008 and Windows 8, the default locations for user data and system data have changed. For example, user data that was previously stored in the %SystemDrive%\Documents and Settings directory is now stored in the %SystemDrive%\Users directory. For backward compatibility, the old locations have junction points that point to the new locations. For example, C:\Documents and Settings is now a junction point that points to C:\Users. Backup applications must be capable of backing up and restoring junction points. These junction points can be identified as follows:
...
- Doing so can cause the backup application to back up the same data more than once.
- It can also lead to cycles (circular references).
| Warning | ||
|---|---|---|
| ||
Some mounting tools do not respect these permissions and therefore allow software applications to follow the links. As the links are hard coded into the file-system, they unfortunately can point to actual folder locations on the forensic workstation. |
The below shows an example of a junction point and the target folder:
Microsoft Windows Vista / 7 Junction Point Example | |
|---|---|
C:\Users\All Users\ | C:\ProgramData\ |
Therefore, any software reading the file system will be presented with data from C:\ProgramData\ as if it was contained within C:\Users\All Users\.
Mounting an NTFS Volume containing Junction Points
If a volume is imaged and mounted and presented to the Operating System as Volume G:\, the symbolic link contained within the MFT for G:\Users\All Users\ is pointing to C:\ProgramData\. If you are using Microsoft Vista or Windows 7/8 as your Operating System, you will have a folder in this location containing your own data. Microsoft Windows will transparently present the data from your volume as if it was contained within G:\Users\All Users\.
| Warning |
|---|
This could have serious consequences from a forensic point of view if the forensic examiner inadvertently imports data that does not belong to the case he/she is examining. |
Example
This example demonstrates the issue.
References
...