...
- Documents and Settings
- Junctions within the All Users, Public, and Default User profiles
Example
Do demonstrate this issue, a test volume was created as follows:
- A 500 Mb sparse file was created and mounted (in this case, as
F:\), the volume was then formatted as NTFS - A folder was created as normal
F:\User - A command prompt was opened (Run as administrator)
The following commands were executed:
| Code Block | ||
|---|---|---|
| ||
mklink /J "F:\Users\All Users" "C:\ProgramData"
mklink /J "F:\Documents and Settings" "C:\Users" |
Previewing the Junction Points
The above commands create two junction points, both exactly the same as you would find in a typical Windows scenario. Viewing the volume in forensic software show the junctions and their corresponding links.
Examining Junction Points
The following image shows a volume containing junction points. You can also see the corresponding hard link.
Even though, this volume is mounted as F, accessing the folder F:\Users\All Users\ opens the link and presents the files from C:\ProgramData as if they were actually contined within F:\Users\All Users.
If you then image the volume and mount the resulting image file on any of the Operating Systems previously identified (and assuming your system drive is C:\), you will find that accessing the Documents and Settings folder, or the All Users folder, will result in the presentation of files and folders from your own filesystem.