You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

 

Overview

When using third party image mounting tools to perform forensic examinations of NTFS file-systems, it is extremely important to understand NTFS Junction Points so that you don't find yourself making a critical mistake during your analysis. An issue has been identified with third party image mounting software where NTFS junction points are hard linked to folders on the forensic investigator's own hard disk. If you use software to process a file-system (such as NetAnalysis® or Anti-Virus software) and that file-system is mounted with junction points, the Operating System on the forensic workstation may point the software to folders which are not contained within the suspect volume. This leads to the extremely serious situation, where the investigator may inadvertently process their own file-system.

 

This is a feature built in to Microsoft Windows/NTFS and is not a bug with NetAnalysis.  When recursively processing a folder structure, NetAnalysis will process the file-system as it is presented by the mounting tool or Operating System. NTFS Juntion Points were designed to be transparent to software applications.


This is possible with the following Operating Systems and file-systems:

Operating / File System
Microsoft Windows Vista with NTFS volumes
Microsoft Windows 7 with NTFS volumes
Microsoft Windows 8 with NTFS volumes

Symbolic Links

Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. By using junction points, you can graft a target folder onto another NTFS folder or "mount" a volume onto an NTFS junction point. Junction points are transparent to software applications.

An NTFS symbolic link (symlink) is a file-system object in the NTFS filesystem that points to another file system object. The object being pointed to is called the target.  Symbolic links should be transparent to users; the links appear as normal files or directories, and can be acted upon by the user or application in exactly the same manner.  Symbolic links are designed to aid in migration and application compatibility with POSIX operating systems, and were introduced with the modifications made to the NTFS file system with Windows Vista.  Unlike an NTFS junction point (available since Windows 2000), a symbolic link can also point to a file or remote SMB network path. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links.  However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems. 

Unlike an NTFS junction point, a symbolic link can also point to a file or remote SMB network path. While NTFS junction points support only absolute paths on local drives, the NTFS symbolic links allow linking using relative paths. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems. 

Junction Points

In Windows Vista, Windows Server 2008 and Windows 8, the default locations for user data and system data have changed. For example, user data that was previously stored in the %SystemDrive%\Documents and Settings directory is now stored in the %SystemDrive%\Users directory. For backward compatibility, the old locations have junction points that point to the new locations. For example, C:\Documents and Settings is now a junction point that points to C:\Users. Backup applications must be capable of backing up and restoring junction points. These junction points can be identified as follows:  

  • They have the FILE_ATTRIBUTE_REPARSE_POINT, FILE_ATTRIBUTE_HIDDEN, and FILE_ATTRIBUTE_SYSTEM file attributes set.  
  • They also have their access control lists (ACLs) set to deny read access to everyone.

Applications that call out a specific path can traverse these junction points if they have the required permissions. However, attempts to enumerate the contents of the junction points will result in failures. It is important that backup applications do not traverse these junction points, or attempt to backup data under them, for two reasons:  

  • Doing so can cause the backup application to back up the same data more than once.  
  • It can also lead to cycles (circular references).
      

Some mounting tools do not respect these permissions and therefore allow software applications to follow the links. As the links are hard coded into the file-system, they unfortunately can point to actual folder locations on the forensic workstation.

  

 The below shows an example of a junction point and the target folder:

 

Microsoft Windows Vista / 7 Junction Point Example
C:\Users\All Users\C:\ProgramData\

  

Therefore, any software reading the file system will be presented with data from C:\ProgramData\ as if it was contained within C:\Users\All Users\.

Mounting an NTFS Volume containing Junction Points

If a volume is imaged and mounted and presented to the Operating System as Volume G:\, the symbolic link contained within the MFT for G:\Users\All Users\ is pointing to C:\ProgramData\.  If you are using Microsoft Vista or Windows 7/8 as your Operating System, you will have a folder in this location containing your own data.  Microsoft Windows will transparently present the data from your volume as if it was contained within G:\Users\All Users\

This could have serious consequences from a forensic point of view if the forensic examiner inadvertently imports data that does not belong to the case he/she is examining.

Example

This example demonstrates the issue.

References

 

 

 

 

  • No labels