Join Us!

Notifications
Clear all

Missing $UsnJrnl  

  RSS
Cults14
(@cults14)
Active Member

Hope someone can help, and I hope I’m not being really stupid.

Being an irregular forensicator with a little time on my hands, I decided to have a look at $UsnJrnl on my Win7 Enterprise SP1 system.

Only problem is, viewing the logical drive (BitLocker at play) in FTK Imager, it’s not there. Contents of $Extend are
$RmMetadata
$ObjId
$Quota
$Reparse

Although with $Extend highlighted in the Evidence Tree I can see at offset 0x202 the text "$UsnJrnlata"

According to the post and discussion on JiIR (http//journeyintoir.blogspot.co.uk/2013/01/re-introducing-usnjrnl.html) $UsnJrnl is enabled by default.

Is there a registry (or other??) setting to enable/disable $UsnJrnl? I’ve searched in Regedit (for Keys, Values, and data) but the only entries it comes up with are
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Forensics\$UsnJrnl
* HKEY_USERS\S-1-5-21-2000478354-1960408961-725345543-35816\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Forensics\$UsnJrnl
Which relate to my having saved the above JiIR post in my Favourites

I searched here in FF and also Google, there are some results which suggest that whether $UsnJrnl is enabled or not depends on whether System Protection and/or Indexing is turned on (both are enabled on my system, still no $UsnJrnl)

So – can anyone help with how to enable $UsnJrnl?

Thanks

P.S. FYI there are some Google results which suggest that $UsnJrnl can be enabled in XP, which appears contrary to informed opinion in these circles.

Quote
Posted : 30/04/2013 4:44 pm
keydet89
(@keydet89)
Community Legend

http//technet.microsoft.com/en-us/library/cc788042%28v=ws.10%29.aspx

ReplyQuote
Posted : 30/04/2013 6:37 pm
Cults14
(@cults14)
Active Member

Thanks Harlan, I was aware of the fsutil command. Perhaps I should have explained a bit more.

I'm in a corporate environment (circa 26,000 users, 50 countries, no IT Sec dept - don't ask) where a common question for a Leaver is "did user Joe delete any files".
As I had previously understood that Windows doesn't track copy/move/delete operations, and as the JiIR post stated that a fraud case had turned on proving via $UsnJrnl that a user HAD deleted some files, I was hoping to explore that avenue.

On discovering that my laptop doesn't have a $UsnJrnl file (neither do colleagues in the same work area) I was hoping that there might be a switch somewhere which could be flipped universally using Group Policies if I could fathom the depths of $UsnJrnl and show proportional benefit; I'm not sure that using fsutil would be suitable in our environment.

I guess we could induce something at startup on a one-off basis but I think I'd have mnore chance with central IT on the GPO front.

Meantime, I do have a $UsnJrnl on the C drive of a VM running W2003 Server so I'll try that.

Cheers

Peter

ReplyQuote
Posted : 30/04/2013 7:02 pm
keydet89
(@keydet89)
Community Legend

As I had previously understood that Windows doesn't track copy/move/delete operations, and as the JiIR post stated that a fraud case had turned on proving via $UsnJrnl that a user HAD deleted some files, I was hoping to explore that avenue.

The USN change journal (i.e., the $UsnJrnl$J ADS file) is one resource you can use. For example, there are a number of artifacts within a Windows 7 system that will tell you which files the user accessed and when…Registry, Jump Lists, Shortcuts, etc. Using a couple of tools, it's a straight forward process to get a list of the files, their paths, and when they were accessed, and to then compare them to the file system itself.

Depending upon how long ago they were deleted, you could parse the MFT for records marked "not in use", and check the $I30 index files in various directories against the actual contents of the directories for missing files/folders.

Is this something that you've considered?

On discovering that my laptop doesn't have a $UsnJrnl file (neither do colleagues in the same work area) I was hoping that there might be a switch somewhere which could be flipped universally using Group Policies if I could fathom the depths of $UsnJrnl and show proportional benefit; I'm not sure that using fsutil would be suitable in our environment.

I provided the link to the fsutil command as a means of providing a signpost for where you might want to go. Your original post made no mention of fsutil, nor the need for a GPO, so I thought I would offer something that had (apparently) not been considered.

ReplyQuote
Posted : 30/04/2013 7:36 pm
Cults14
(@cults14)
Active Member

Thanks Harlan, I already use some of those resources, I do need to get more familiar with MFT and $I30 though.

Apologies again for lack of clearer info from the get-go, indeed I hadn't mentioned fsutil or GPO.

Not having done anything with $UsnJrnl before, I was kinda hoping it might provide a quick over-arching insight into deleted files. Typically my employers wouldn't know what files were on the Leaver's computer, there's a school of thought that mass deletions are a sign of bad behaviour - but it clearly depends on what the files were and why the Leaver did it (if at all).

Thanks again

ReplyQuote
Posted : 30/04/2013 8:21 pm
keydet89
(@keydet89)
Community Legend

Not having done anything with $UsnJrnl before, I was kinda hoping it might provide a quick over-arching insight into deleted files. Typically my employers wouldn't know what files were on the Leaver's computer, there's a school of thought that mass deletions are a sign of bad behaviour - but it clearly depends on what the files were and why the Leaver did it (if at all).

Part of the issue with focusing on just the $UsnJrnl$J file is that it's time-dependent.

ReplyQuote
Posted : 30/04/2013 8:47 pm
Cults14
(@cults14)
Active Member

I'm still a bit bemused - consensus seems to be that $UsnJrnl in enabled by default in Win7. Given that our enterprise environment sems to have disabled it somehow (I have asked the question of central IT, am awaiting a response but not holding my breath), I was hoping that there would be a simple way to enable it globally; I'm pretty sure that we won't have disabled it on purpose (e.g. by implementing the fsutil command on every workstation and laptop), but will let you know when/if I get an answer.

Using a couple of tools, it's a straight forward process to get a list of the files, their paths, and when they were accessed, and to then compare them to the file system itself

I was under the impression that access dates were not terribly reliable, as (for example) AV scans and system-generated defrag could have a major impact? I'm perhaps out of order here, but I tend to use last modified dates on shortcuts as my understanding is that that will indicate the last date the shortcut was accessed.

Regards

Peter

ReplyQuote
Posted : 01/05/2013 3:34 pm
keydet89
(@keydet89)
Community Legend

I'm still a bit bemused - consensus seems to be that $UsnJrnl in enabled by default in Win7.

Yes, that's what I've seen so far in a few systems.

Given that our enterprise environment sems to have disabled it somehow (I have asked the question of central IT, am awaiting a response but not holding my breath), I was hoping that there would be a simple way to enable it globally; I'm pretty sure that we won't have disabled it on purpose (e.g. by implementing the fsutil command on every workstation and laptop), but will let you know when/if I get an answer.

Perhaps the IT department has a setup procedure, or a "gold image" that they use. This might account for it.

Using a couple of tools, it's a straight forward process to get a list of the files, their paths, and when they were accessed, and to then compare them to the file system itself

I was under the impression that access dates were not terribly reliable, as (for example) AV scans and system-generated defrag could have a major impact? I'm perhaps out of order here, but I tend to use last modified dates on shortcuts as my understanding is that that will indicate the last date the shortcut was accessed.

Perhaps more importantly, updating of last access times on files, via normal user activity, is disabled by default on Vista and above, and controlled by a Registry value.

There are actually a wide range of artifacts, particularly on Windows 7, that will allow you to see when files and resources were last accessed, in the absence of the file system last accessed time being updated. For example, as you mentioned, there are shortcuts, but there are also
- Jump Lists
- Registry MRUs (ie, RecentDocs, etc.)
- App-specific MRUs in the Registry (MSPaint, Office apps, Adobe Reader, etc.)
- Specifically for Office docs accessed via the network, there is a "TrustRecords" key that can be very valuable

HTH

ReplyQuote
Posted : 01/05/2013 5:32 pm
Cults14
(@cults14)
Active Member

Resolution.

Looks like one culprit was the version of FTK Imager I was using (3.0.0.x). have update to 3.1.2 and it works just fine

The other culprit is me, for not (a) realising I was using a different version of FTKI on a W2003 system that WAS seeing $UsnJrnl and (b) not double-checking using a different app altogether

All's well that ends well

Thanks for the dicussion

ReplyQuote
Posted : 08/05/2013 3:45 pm
Share: