NTFS Object IDs ($ObjID)
NTFS Object IDs are GUIDs assigned to specific files to allow Windows to track them regardless of where they are moved within the volume. While not assigned to every file, when present, an Object ID creates an unbreakable tracking link between a file's GUID and its physical location on disk. The system-wide index of these mappings — the $ObjID metafile — is a valuable artifact for linking LNK shortcut targets and Distributed Link Tracking data back to physical files even when they have been moved or renamed.
Imagine every important document in a building is given a unique barcode sticker. Even if you move the document from one cabinet to another or rename the folder it is in, the barcode stays the same. A master scanner system always knows where each barcode is located. NTFS Object IDs are those barcode stickers for important files, and the $ObjID index is the master scanner keeping track of them all.
General
When an application such as Microsoft Word or the Windows shell assigns an Object ID to a file, NTFS adds an $OBJECT_ID attribute to that file's MFT record containing a 16-byte GUID. The $ObjID metafile (MFT Entry 25) maintains a global B-tree index mapping every assigned GUID to its corresponding MFT record reference. This mechanism is the backbone of Windows' Distributed Link Tracking Service which allows file shortcut targets to be found even after network moves or renames. The Birth Object ID and Birth Volume ID embedded within the attribute carry the GUID and volume identifier from the machine where the file was originally created, potentially revealing that a file originated on a different host.
Traces
Parsing the $ObjID index and individual $OBJECT_ID attributes exposes the following data:
- Object ID (GUID): The unique 16-byte identifier assigned to the file.
- MFT File Reference: The specific MFT record and sequence number this GUID points to.
- Birth Object ID: The GUID from the file at the time it was originally created, potentially from a different machine.
- Birth Volume ID: The volume GUID of the drive where the file was first created, which can identify a source machine.
- and more.
Forensic Use Cases
We analyze Object IDs to track file provenance and link cross-system artifacts:
- File Origin Attribution: Using the Birth Volume ID and Birth Object ID to prove that a file was created on a different volume or machine before being transferred to the target system.
- LNK Target Resolution: Correlating the Object ID in an LNK file with the $ObjID index to find a moved or renamed target document.
- Data Exfiltration Tracking: Identifying files where the birth volume differs from the current volume, indicating files copied from another host or device.
- and more.