...

When using third party image mounting tools to perform the forensic examination of NTFS file systems, it is extremely important to understand NTFS Junction Points so that you don't find yourself making a critical mistake during your analysis. An issue has been identified with third party image mounting software where NTFS junction points are hard linked to folders on the forensic investigator's own hard disk. If you use software to process a file system (such as NetAnalysis® or Anti-Virus software) and the file system is mounted with junction points, the Operating System on the forensic workstation may point the software to folders which are not contained within the suspect volume. This leads to the extremely serious situation, where the investigator may inadvertently process their own file system.

This is possible with the following Operating Systems and file systems:

Operating / File System
Image Modified Microsoft Windows Vista with NTFS volumes (and server Operating Systems)
Image Modified Microsoft Windows 7 with NTFS volumes (and server Operating Systems)
Image Modified Microsoft Windows 8 with NTFS volumes (and server Operating Systems)

Symbolic Links

Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. By using junction points, you can graft a target folder onto another NTFS folder or "mount" a volume onto an NTFS junction point. Junction points are transparent to software applications.

...

• Doing so can cause the backup application to back up the same data more than once.  
• It can also lead to cycles (circular references).
    

...

...

Per-User Junctions and System Junctions

...