I would like to confirm if every time you connect an NTFS drive to a windows computer, does it leave some entry in the USNJournal or Log File? Even if none of the files on the drive are altered and no files are copied to the drive, is there always some record or entry of the connection?
I would like to confirm if every time you connect an NTFS drive to a windows computer, does it leave some entry in the USNJournal or Log File? Even if none of the files on the drive are altered and no files are copied to the drive, is there always some record or entry of the connection?
In order to confirm it, we need to know that what you described actually happens (ever or in some particular case).
So maybe you could tell us how you determined it happens or where you read that it happens.
jaclaz
The drive being literally plugged in, read but nothing written and then removed.
I have fully extracted and analyzed the log file and USN Journal on an NTFS drive. In 2017 there's thousands of entries of file names/paths being deleted, written, etc. In 2018 there are only two entries on one specific date and time, they make no reference to any particular path and I infer that the drive was merely connected and read and no other activity.
So what I'm trying to confirm is - is this an accurate piece of evidence that during that year the drive was only connected and read once?
No. USBDeview and almost every registry "cleaner" alters these informations.
In 2018 there are only two entries on one specific date and time, they make no reference to any particular path and I infer that the drive was merely connected and read and no other activity.
Yep, but the inferring is it an intuition, the result of similar observations in other cases, a random guess, something else, etc.?
I mean, given only the comparison between the (many) "2017" entries and the few (two) "2018" ones it seems to me to little to form a theory.
All you know seems to me that once (and only once) in 2018 (maybe) *something* happened.
You have no actual proof that the same *something* happened in 2017 (maybe) also.
In theory, if every time a NTFS volume is connected to a Windows system 2 entries with current date and time (but without any path) are written *somewhere*, then you should find 2 of such entries for every day (assuming that the PC is switched off every day) in which you find (in 2017) an entry for an actual path/file moved/deleted/modified, etc.
Otherwise you will also have to assume that these 2 "pathless" entries are removed (and overwritten or blanked) after having been written at connection time as soon as a "real" operation (path/file move/deletion/modify etc.) happened.
So what I'm trying to confirm is - is this an accurate piece of evidence that during that year the drive was only connected and read once?
It doesn't sound like very convincing, at the moment, IMHO.
Let's say that your previous theory is valid, what makes you exclude that the drive was connected a second time in 2018 but the corresponding 2 entries have been deleted afterwards?
If you had a following entry (let's say a "2019" set of 2 entries) and no blank "gap" of any kind after the "2018" one, then you would have some more grounds (assuming that the entries on the *whatever* you analyzed are written contiguously and sequentially).
jaclaz
Are you sure that no files were copied to the drive? Even with backdated timestamps.
What was the Windows version believed to be the last one used to write to the drive?
Is it a flash stick? Or an external HDD/SSD?
1. If this is an external HDD/SSD, and this drive was never attached to a Windows 10 machine (with write access enabled), and the version of Windows used to read the drive later was 10, then the following streams will be present
$Extend\$RmMetadata\$Repair
$Extend\$RmMetadata\$Repair$Config
$Extend\$RmMetadata\$Repair$Corrupt
$Extend\$RmMetadata\$Repair$Verify
2. Also, under the same conditions, if a Windows 10* machine had a system volume (usually, the C drive) equal to or smaller than 128 GiB, then the last access updates would be enabled for an external HDD/SSD. Check if any of these timestamps cover the time frame in question.
* – one of the recent versions of Windows 10.
3. Also, under similar conditions, if a Windows 8+ machine was used to read the drive and an older version of Windows was used to write to the drive before, then the LFS version could be upgraded to 2.0 (older versions of Windows use 1.1). These version numbers are stored in the $LogFile, at the offsets 26 and 28 (as two 16-bit integers, minor and major version numbers respectively).
Usually, this version is downgraded when the volume is unmounted, but still, you can see the traces of the $LogFile being downgraded. Open the $LogFile, go to the offset 16444 and check the next 4 bytes. If they are not null and not equal to 0xFFFFFFFF, then the LFS version was downgraded.
This is an HDD and the OS believed to have been connected to it is Windows 7.
I forgot to mention that there are entries in 2019. However the period we are particularly interested in interrogating is 2018 so that's why I failed to note this fact.
With that in mind, there is continuity of entries from 2017-2019.
The particular entry looks like
$TxfLog.blf - Data_Overwritten
$TxfLog.blf - Data_Overwritten/ File_Closed
I've searched the entire files for any matches of this filename and it is the only time it occurs, so no it doesn't appear every other time the drive was connected, but on every other occasion there is much more activity of copy/delete files.
The particular entry looks like
$TxfLog.blf - Data_Overwritten
$TxfLog.blf - Data_Overwritten/ File_Closed
It looks like you are referring to the USN journal here. In this case, what are the USN numbers of journal entries in question? If the drive was mounted on a system with incorrect system time set, then these entries can be followed by other ones (likely not from 2018/2019). If the drive was mounted on a system with correct system time set, then these entries should be somewhere in the end of the file (perhaps, followed by a few entries from 2019).
Also, did you parse the $LogFile? What are the last few entries (when sorted by their LSNs)?
No. USBDeview and almost every registry "cleaner" alters these informations.
All these years believing that USBDeview and registry cleaners operated on the Registry (and NOT on low-level filesystem structures)…. (
jaclaz
The particular entry looks like
$TxfLog.blf - Data_Overwritten
$TxfLog.blf - Data_Overwritten/ File_ClosedIt looks like you are referring to the USN journal here. In this case, what are the USN numbers of journal entries in question? If the drive was mounted on a system with incorrect system time set, then these entries can be followed by other ones (likely not from 2018/2019). If the drive was mounted on a system with correct system time set, then these entries should be somewhere in the end of the file (perhaps, followed by a few entries from 2019).
Also, did you parse the $LogFile? What are the last few entries (when sorted by their LSNs)?
No these are the only entries for that date and the entire 2018. There's no reason to think the system time would have been incorrect. Both possible computers it could have been connected to were set to the correct time and on Windows 7.
I'm wondering since there are two possible computers that could have connected to it, if there entire 2017 and 2019 it was connected to computer A, and then the first time it was connected to computer B in 2018 is it possible that entry would have been generated?
Again, can anyone confirm from this data does it look like the drive was only read once in 2018, or is it possible it could have been read many times on different dates, but nothing written, in 2018 without any entries in the USN Journal?