Overview
An issue has been identified with third party image mounting software where NTFS symbolic links point to folders on the forensic investigator's own hard disk. If you use software (such as NetAnalysis or Anti-Virus software) to recurse a folder structure from a mounted volume containing symbolic links, the Operating System on the forensic workstation may link the software to folders which are not contained within the suspect volume.
This is a feature built in to Microsoft Windows/NTFS and is not a bug with NetAnalysis. When recursing a folder structure, NetAnalysis will process the file system as it is presented by the Operating System.
This is possible with the following Operating Systems and file systems:
| Operating / File System |
|---|
| Microsoft Windows Vista with NTFS volumes |
| Microsoft Windows 7 with NTFS volumes |
Symbolic Links
An NTFS symbolic link (symlink) is a file-system object in the NTFS filesystem that points to another file system object. The object being pointed to is called the target. Symbolic links should be transparent to users; the links appear as normal files or directories, and can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with POSIX operating systems, and were introduced with the modifications made to the NTFS file system with Windows Vista. Unlike an NTFS junction point (available since Windows 2000), a symbolic link can also point to a file or remote SMB network path. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems. The below shows an example of a symbolic link and the target folder:
Microsoft Windows Vista / 7 Symbolic Link Example | |
|---|---|
C:\Users\All Users\ | C:\ProgramData\ |
Therefore, any software reading the file system will be presented with data from C:\ProgramData\ as if it was contained within C:\Users\All Users\.
Mounting an NTFS Volume containing Symbolic Links
If a volume is imaged and mounted and presented to the Operating System as Volume G:\, the symbolic link contained within the MFT for G:\Users\All Users\ is pointing to C:\ProgramData\. If you are using Microsoft Vista or Windows 7 as your Operating System, you will have a folder in this location containing your own data. Microsoft Windows will transparently present the data from your volume as if it was contained within G:\Users\All Users\. This could have serious consequencies from a forensic point of view if the forensic examiner inadvertantly imports data that does not belong to the case he/she is examining.