...
When using third party image mounting tools to perform the forensic examination of NTFS file-systems, it is extremely important to understand NTFS Junction Points so that you don't find yourself making a critical mistake during your analysis. An issue has been identified with third party image mounting software where NTFS junction points are hard linked to folders on the forensic investigator's own hard disk. If you use software to process a file-system (such as NetAnalysis® or Anti-Virus software) and the file-system is mounted with junction points, the Operating System on the forensic workstation may point the software to folders which are not contained within the suspect volume. This leads to the extremely serious situation, where the investigator may inadvertently process their own file-system.
| Note |
|---|
This is a feature built in to of Microsoft Windows/NTFS and is not a bug with NetAnalysis. When recursively processing a folder structure, NetAnalysis will process the file-system as it is presented by the mounting tool or Operating System. NTFS Juntion Points were designed to be transparent to software applications. |
...