±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36489
New Yesterday: 5 Visitors: 162

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Extract $J

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

thefuf
Senior Member
 

Re: Extract $J

Post Posted: Dec 12, 19 21:13

Use dfir_ntfs (https://github.com/msuhanov/dfir_ntfs) to mount every shadow copy, then use fls & icat (The Sleuth Kit) to extract the $J data. Optionally, use dfir_ntfs again to parse the $J data.  
 
  

Passmark
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 06:19

The USN journal file has multiple NTFS file streams. So I am not sure in the value of extracting just the $J stream by itself.
The other stream in the same file, $Max:Data, contains important stuff like. Maximum Size, Allocation Delta, USN ID (a) & Lowest Valid USN. See,
flatcap.org/linux-ntfs...njrnl.html

So the $Max:Data information is pretty important if you want to do anything with the $J stream.
Also to make sense of the $J stream you also need the corresponding MFT (in order to work out the file names for each record).

In addition to having multiple NTFS streams the $UsnJrnl file is a sparse file (the size on disk is smaller than the size of the file). So any attempt to extract just the $J stream also needs to take this into account. Do you want it sparse, or not, once extracted?

OSF V7 can carve out the $J stream if you want, but for what purpose?



I think it might make more sense to just extract the entire $UsnJrnl file from the image. With both streams intact and the sparse attribute intact. If you need help with this let me know.

From V5 of OSF there was also a built in $UsnJrnl Viewer. But that won't help you if you are stuck on V4. (unless you use the V7 trial)  
 
  

joakims
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 18:15

Just a tiny correction.
- Passmark

Also to make sense of the $J stream you also need the corresponding MFT (in order to work out the file names for each record).


You don't need MFT to work out filenames of a given usnjrnl record, as all such records already contain the filename.

Paths would be helpful to join though. But even paths are not that straight forward to attach to the data set as directory structures may have changed before the snapshot was taken. In that sense usnjrnl records actually contains enough information to build a partial path (or temporary) that would yield a more accurate representation of current path for a given object than MFT alone could, if the relevant records are captured in the journal.
_________________
Joakim Schicht

github.com/jschicht 
 
  

minime2k9
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 18:18

I did try getting my tool to re-create the file path. The issue is, that with the 2,000,000 records that were usually extracted, it took ages!

I may look at re-doing this in the future or a newer version of my tool.  
 
  

joakims
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 18:33

I made a proof of consept some time ago for rebuilding paths. Ended up making a separate program for it and making use of mariadb. But there are some challenges with doing something like that, for instance renamed directory.
_________________
Joakim Schicht

github.com/jschicht 
 
  

UnallocatedClusters
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 20:49

- joakims
The tool is open source and not dangerous. It can do one thing and is good at it. To extract from a vsc you need the volume mounted so that the shadow is exposed through the OS symbolic link.


I believe you that the tool is not malware - it is the first time the Chrome browser itself has blocked a download on the laptop I attempted to download the zip file (weird).

I downloaded the desktop client version of GitHub - maybe that will let me "clone" the repository if I am using the correct terminology.  
 
  

joakims
Senior Member
 

Re: Extract $J

Post Posted: Dec 13, 19 21:05

- UnallocatedClusters

I downloaded the desktop client version of GitHub - maybe that will let me "clone" the repository if I am using the correct terminology.


Either that. Or download the zip using another browser. Or compile the au3 source yourself.

The usual annoyance wrt AV is that these type of compiled exe's are backlisted by default by less sophisticated AV.
_________________
Joakim Schicht

github.com/jschicht 
 

Page 2 of 3
Page Previous  1, 2, 3  Next