USN Journal and Log...
 
Notifications
Clear all

USN Journal and Log file analysis

12 Posts
4 Users
0 Likes
3,797 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Could anyone with experience in analyzing the log files and USN journal of NTFS drives offer their opinions on this –

I'm trying to examine an external drive to get as much detail about activity carried out on it.

Having extracted the USN Journal and log files, it's very clear when files were deleted or placed onto the drive on certain dates/times because it lists the name of the file with the date and activity.

However on some dates there is much less information which I'm trying to discern. For example on one date this is all that's listed

$TxfLog.blf,,Data_Overwritten,Normal,Archive
$TxfLog.blf,,Data_Overwritten/ File_Closed,Normal,Archive

What might this indicate as having happened?

 
Posted : 27/09/2018 11:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

A quick Google search revealed this

https://security.stackexchange.com/questions/66236/could-system-volume-information-and-rmmetadata-pose-information-leakage-on-a

I would suggest that more information is required for a more thorough response. For example, I know that this is an external drive, but what do you know about the system it was connected to; specifically, what was the version of the OS? I know that might not be available, but I did find mention of some issues with Win8.1, specifically.

This could simply mean that there was no other activity that day.

 
Posted : 28/09/2018 9:23 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Thanks for your reply.

It was connected to Windows 7.

As said I'm no expert on examining these, so when you say no other activity on that day does that mean no files or folders were even opened? Do these journals and logs record if files are opened at all, or is it only if new files are copied to the drive or existing files are deleted from the drive?

 
Posted : 28/09/2018 10:08 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

As said I'm no expert on examining these,

Nor am I.

…so when you say no other activity on that day does that mean no files or folders were even opened?

I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.

 
Posted : 30/09/2018 12:13 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

As said I'm no expert on examining these,

Nor am I.

…so when you say no other activity on that day does that mean no files or folders were even opened?

I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.

Understood. Perhaps there was no other activity that day.

My question is what sort of activity would generate these snippets and nothing else on that day?

 
Posted : 30/09/2018 7:50 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

You could also try analyzing the $LogFile. It is recycled though, so if you are looking at FS transactions from some time back, then it might be overwritten. Unless you already found a tool for decoding it, you could try this one https://github.com/jschicht/LogFileParser

Regarding UsnJrnl there are also a couple of tools you could try; https://github.com/jschicht/ExtractUsnJrnl and https://github.com/jschicht/UsnJrnl2Csv

The UsnJrnl might be worth scanning for fragments of in unallocated space on the volume (if there is a significant time between target FS operations and when disk was imaged). Extract unallocated with a tool capable of it, then use UsnJrnl2Csv in scan mode on it.

 
Posted : 30/09/2018 10:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My question is what sort of activity would generate these snippets and nothing else on that day?

Generate a timeline of system activity. That will show you.

 
Posted : 01/10/2018 10:51 am
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

You could also try analyzing the $LogFile. It is recycled though, so if you are looking at FS transactions from some time back, then it might be overwritten. Unless you already found a tool for decoding it, you could try this one https://github.com/jschicht/LogFileParser

Regarding UsnJrnl there are also a couple of tools you could try; https://github.com/jschicht/ExtractUsnJrnl and https://github.com/jschicht/UsnJrnl2Csv

The UsnJrnl might be worth scanning for fragments of in unallocated space on the volume (if there is a significant time between target FS operations and when disk was imaged). Extract unallocated with a tool capable of it, then use UsnJrnl2Csv in scan mode on it.

I just converted the db file that was the USNJournal and LogFile into csv format and then open them in Excel - it's no different right?

You said LogFile is recycled, is USNJournal recycled too?

 
Posted : 01/10/2018 12:44 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

They are both recycled, but in different ways. Don't know which tools you used. It is rather a decoding and dump of data into csv, than a convert. Anyways, importing to Excel should work, at least with the csv's of the tools I linked to. The data decoded from those 2 files are very different. $LogFile is extremely low level on NTFS. $UsnJrnl is higher level and more easy to grasp. For 1 $UsnJrnl entry you may find numerous entries relating to the same action in $LogFile. In most cases you will find that the data found and decoded in $LogFile cover a much smaller period of time than what you could find for $UsnJrnl.

 
Posted : 01/10/2018 11:18 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

They are both recycled, but in different ways. Don't know which tools you used. It is rather a decoding and dump of data into csv, than a convert. Anyways, importing to Excel should work, at least with the csv's of the tools I linked to. The data decoded from those 2 files are very different. $LogFile is extremely low level on NTFS. $UsnJrnl is higher level and more easy to grasp. For 1 $UsnJrnl entry you may find numerous entries relating to the same action in $LogFile. In most cases you will find that the data found and decoded in $LogFile cover a much smaller period of time than what you could find for $UsnJrnl.

I certainly find the LogFile is substantially smaller than the UsnJrnl.

How are they both recycled 'in different ways'?

 
Posted : 02/10/2018 2:52 am
Page 1 / 2
Share: