±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 251

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

NTFS external drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

wotsits
Senior Member
 

NTFS external drive

Post Posted: Feb 27, 19 14:24

I would like to confirm if every time you connect an NTFS drive to a windows computer, does it leave some entry in the USNJournal or Log File? Even if none of the files on the drive are altered and no files are copied to the drive, is there always some record or entry of the connection?  
 
  

jaclaz
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 15:16

- wotsits
I would like to confirm if every time you connect an NTFS drive to a windows computer, does it leave some entry in the USNJournal or Log File? Even if none of the files on the drive are altered and no files are copied to the drive, is there always some record or entry of the connection?


In order to confirm it, we need to know that what you described actually happens (ever or in some particular case).

So maybe you could tell us how you determined it happens or where you read that it happens.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

wotsits
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 18:26

The drive being literally plugged in, read but nothing written and then removed.

I have fully extracted and analyzed the log file and USN Journal on an NTFS drive. In 2017 there's thousands of entries of file names/paths being deleted, written, etc. In 2018 there are only two entries on one specific date and time, they make no reference to any particular path and I infer that the drive was merely connected and read and no other activity.

So what I'm trying to confirm is - is this an accurate piece of evidence that during that year the drive was only connected and read once?  
 
  

passcodeunlock
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 21:20

No. USBDeview and almost every registry "cleaner" alters these informations.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

jaclaz
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 21:45

- wotsits
In 2018 there are only two entries on one specific date and time, they make no reference to any particular path and I infer that the drive was merely connected and read and no other activity.

Yep, but the inferring is it an intuition, the result of similar observations in other cases, a random guess, something else, etc.?
I mean, given only the comparison between the (many) "2017" entries and the few (two) "2018" ones it seems to me to little to form a theory.
All you know seems to me that once (and only once) in 2018 (maybe) *something* happened.
You have no actual proof that the same *something* happened in 2017 (maybe) also.

In theory, if every time a NTFS volume is connected to a Windows system 2 entries with current date and time (but without any path) are written *somewhere*, then you should find 2 of such entries for every day (assuming that the PC is switched off every day) in which you find (in 2017) an entry for an actual path/file moved/deleted/modified, etc.

Otherwise you will also have to assume that these 2 "pathless" entries are removed (and overwritten or blanked) after having been written at connection time as soon as a "real" operation (path/file move/deletion/modify etc.) happened.



- wotsits

So what I'm trying to confirm is - is this an accurate piece of evidence that during that year the drive was only connected and read once?

It doesn't sound like very convincing, at the moment, IMHO.

Let's say that your previous theory is valid, what makes you exclude that the drive was connected a second time in 2018 but the corresponding 2 entries have been deleted afterwards?

If you had a following entry (let's say a "2019" set of 2 entries) and no blank "gap" of any kind after the "2018" one, then you would have some more grounds (assuming that the entries on the *whatever* you analyzed are written contiguously and sequentially).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

thefuf
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 21:50

Are you sure that no files were copied to the drive? Even with backdated timestamps.

What was the Windows version believed to be the last one used to write to the drive?

Is it a flash stick? Or an external HDD/SSD?

1. If this is an external HDD/SSD, and this drive was never attached to a Windows 10 machine (with write access enabled), and the version of Windows used to read the drive later was 10, then the following streams will be present:

$Extend\$RmMetadata\$Repair
$Extend\$RmMetadata\$Repair:$Config
$Extend\$RmMetadata\$Repair:$Corrupt
$Extend\$RmMetadata\$Repair:$Verify

2. Also, under the same conditions, if a Windows 10* machine had a system volume (usually, the C: drive) equal to or smaller than 128 GiB, then the last access updates would be enabled for an external HDD/SSD. Check if any of these timestamps cover the time frame in question.

* – one of the recent versions of Windows 10.

3. Also, under similar conditions, if a Windows 8+ machine was used to read the drive and an older version of Windows was used to write to the drive before, then the LFS version could be upgraded to 2.0 (older versions of Windows use 1.1). These version numbers are stored in the $LogFile, at the offsets 26 and 28 (as two 16-bit integers, minor and major version numbers respectively).

Usually, this version is downgraded when the volume is unmounted, but still, you can see the traces of the $LogFile being downgraded. Open the $LogFile, go to the offset 16444 and check the next 4 bytes. If they are not null and not equal to 0xFFFFFFFF, then the LFS version was downgraded.  
 
  

wotsits
Senior Member
 

Re: NTFS external drive

Post Posted: Feb 27, 19 23:07

This is an HDD and the OS believed to have been connected to it is Windows 7.

I forgot to mention that there are entries in 2019. However the period we are particularly interested in interrogating is 2018 so that's why I failed to note this fact.

With that in mind, there is continuity of entries from 2017-2019.

The particular entry looks like:
$TxfLog.blf - Data_Overwritten
$TxfLog.blf - Data_Overwritten/ File_Closed

I've searched the entire files for any matches of this filename and it is the only time it occurs, so no it doesn't appear every other time the drive was connected, but on every other occasion there is much more activity of copy/delete files.  
 

Page 1 of 3
Page 1, 2, 3  Next