...
When using third party image mounting tools to perform the forensic examination of NTFS file-systemsfilesystems, it is extremely important to understand NTFS Junction Points so that you don't find yourself making a critical mistake during your analysis. An issue has been identified with third party image mounting software where NTFS junction points are hard linked to folders on the forensic investigator's own hard disk. If you use software to process a file-system filesystem (such as NetAnalysis® or Anti-Virus software) and the file-system filesystem is mounted with junction points, the Operating System on the forensic workstation may point the software to folders which are not contained within the suspect volume. This leads to the extremely serious situation, where the investigator may inadvertently process their own file-systemfilesystem.
| Note |
|---|
This is a feature of Microsoft Windows/NTFS and is not a bug with NetAnalysis. When recursively processing a folder structure, NetAnalysis will process the file-system filesystem as it is presented by the mounting tool or Operating System. NTFS Juntion Points were designed to be transparent to software applications. |
This is possible with the following Operating Systems and file-systemsfilesystems:
| Operating / File System |
|---|
 Microsoft Windows Vista with NTFS volumes (and server Operating Systems) |
| Microsoft Windows 7 with NTFS volumes (and server Operating Systems) |
| Microsoft Windows 8 with NTFS volumes (and server Operating Systems) |
...
An NTFS symbolic link (symlink) is a file-system filesystem object in the NTFS filesystem that points to another file system object. The object being pointed to is called the target. Symbolic links should be transparent to users; the links appear as normal files or directories, and can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with POSIX operating systems, and were introduced with the modifications made to the NTFS file system with Windows Vista. Unlike an NTFS junction point (available since Windows 2000), a symbolic link can also point to a file or remote SMB network path. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems.
...
| Warning | ||
|---|---|---|
| ||
Some mounting tools do not respect these permissions and therefore allow software applications to follow the links. As the links are hard coded into the file-systemfilesystem, they unfortunately can point to actual folder locations on the forensic workstation. |
...
If you then image the volume and mount the resulting image file on any of the Operating Systems previously identified (and assuming your system drive is C:\), you will find that accessing the Documents the Documents and Settings folder, or the All Users folder, will result in the presentation of files and folders from your own file-systemfilesystem.