±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

USN Journal and Log file analysis

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

wotsits
Senior Member
 

USN Journal and Log file analysis

Post Posted: Sep 27, 18 23:12

Could anyone with experience in analyzing the log files and USN journal of NTFS drives offer their opinions on this --

I'm trying to examine an external drive to get as much detail about activity carried out on it.

Having extracted the USN Journal and log files, it's very clear when files were deleted or placed onto the drive on certain dates/times because it lists the name of the file with the date and activity.

However on some dates there is much less information which I'm trying to discern. For example on one date this is all that's listed:

$TxfLog.blf,,Data_Overwritten,Normal,Archive
$TxfLog.blf,,Data_Overwritten/ File_Closed,Normal,Archive

What might this indicate as having happened?  
 
  

keydet89
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Sep 28, 18 21:23

A quick Google search revealed this:

security.stackexchange...akage-on-a

I would suggest that more information is required for a more thorough response. For example, I know that this is an external drive, but what do you know about the system it was connected to; specifically, what was the version of the OS? I know that might not be available, but I did find mention of some issues with Win8.1, specifically.

This could simply mean that there was no other activity that day.  
 
  

wotsits
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Sep 28, 18 22:08

Thanks for your reply.

It was connected to Windows 7.

As said I'm no expert on examining these, so when you say no other activity on that day does that mean no files or folders were even opened? Do these journals and logs record if files are opened at all, or is it only if new files are copied to the drive or existing files are deleted from the drive?  
 
  

keydet89
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Sep 30, 18 12:13

- wotsits
As said I'm no expert on examining these,


Nor am I.

- wotsits
...so when you say no other activity on that day does that mean no files or folders were even opened?


I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.  
 
  

wotsits
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Sep 30, 18 19:50

- keydet89
- wotsits
As said I'm no expert on examining these,


Nor am I.

- wotsits
...so when you say no other activity on that day does that mean no files or folders were even opened?


I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.


Understood. Perhaps there was no other activity that day.

My question is what sort of activity would generate these snippets and nothing else on that day?  
 
  

joakims
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Sep 30, 18 22:17

You could also try analyzing the $LogFile. It is recycled though, so if you are looking at FS transactions from some time back, then it might be overwritten. Unless you already found a tool for decoding it, you could try this one github.com/jschicht/LogFileParser

Regarding UsnJrnl there are also a couple of tools you could try; github.com/jschicht/ExtractUsnJrnl and github.com/jschicht/UsnJrnl2Csv

The UsnJrnl might be worth scanning for fragments of in unallocated space on the volume (if there is a significant time between target FS operations and when disk was imaged). Extract unallocated with a tool capable of it, then use UsnJrnl2Csv in scan mode on it.
_________________
Joakim Schicht

github.com/jschicht 
 
  

keydet89
Senior Member
 

Re: USN Journal and Log file analysis

Post Posted: Oct 01, 18 10:51

- wotsits

My question is what sort of activity would generate these snippets and nothing else on that day?


Generate a timeline of system activity. That will show you.  
 

Page 1 of 2
Page 1, 2  Next