No these are the only entries for that date and the entire 2018. There's no reason to think the system time would have been incorrect. Both possible computers it could have been connected to were set to the correct time and on Windows 7.
I'm wondering since there are two possible computers that could have connected to it, if there entire 2017 and 2019 it was connected to computer A, and then the first time it was connected to computer B in 2018 is it possible that entry would have been generated?Again, can anyone confirm from this data does it look like the drive was only read once in 2018, or is it possible it could have been read many times on different dates, but nothing written, in 2018 without any entries in the USN Journal?
Without examining host data, it's hard to draw conclusions. For sure, if there is a USN entry for the $TxfLog.blf file dating from 2018 and if you are sure that clocks on all suspected systems were correct, then this drive was attached to something in 2018. If a system clock was incorrect, then this could be confirmed by looking at the order of USN entries the USN entry in question would be stored between log entries with "older"/"newer" timestamps, which are originating from a host with valid system time set; things will be harder if not so many USN entries exist in that time period, but this is worth checking nevertheless (see
Also, take a look at the $LogFile journal. It records more operations than the USN journal (also, log sequence numbers assigned to operations are always increasing, see the same paper above). Actually, it logs operations on the USN journal! You can use this tool to parse the $LogFile journal https://
Again, can anyone confirm from this data does it look like the drive was only read once in 2018, or is it possible it could have been read many times on different dates, but nothing written, in 2018 without any entries in the USN Journal?
I will try again.
There is NO known evidence (and you didn't provide any meaningful additional one) that two entries (without path/filename) are written to a NTFS volume by Windows 7 upon "only mounting" or "only collecting", or, if you prefer, the simple action of "mounting" a (NTFS) voume or "connecting" a USB device containing one such volume, particularly if a "same" disk is connected to a "same" PC/install.
There are artifacts (thefuf gave a good sum up, but likely there are other similar ones when combining XP, and Vista with 7) that may have been created by the connection to a different OS.
If you prefer the the 2 entries you found were NOT (to the best of our knowledge) consequent to "only mounting" or "only connecting" as such operation DOES NOT normally create those artifacts[1].
It is entirely possible that the 2 entries you found were created in occasion of a connection without explicit read/writes BUT they were originated by *something else* that happened (and NOT the mere connection) at that time.
All you can say with only those two (pathless/fileless) entries is that - assumed that no system date changed was performed - at the date/time the USN Journal entries were created the disk was actually connected to "a" PC (NOTHING more than that, NOTHING else), you cannot infer that the disk was conncted to "that" (or to the "other") PC nor to any other) PC , nor that it was the "only" time it as connected to *anything* in the year 2018.
jaclaz
[1] and BTW it is not like something difficult to attempt to reproduce.
You should also consider UsnJrnl records from unallocated and slack. And, remnants of earlier memory snapshots may be found within the hibernation file if present (outside the current and active part), as well as earlier parts of FS unallocated, that may contain the type of artifacts you're interested in.
I'm grateful for the replies, but there is a simple question underlying. Since some people here seem to be very familiar with the USN Journal, is nobody able to confirm whether or not every time a drive is connected and read, regardless or anything being written, that some entry is made into the USN Journal or not?
I'm grateful for the replies, but there is a simple question underlying. Since some people here seem to be very familiar with the USN Journal, is nobody able to confirm whether or not every time a drive is connected and read, regardless or anything being written, that some entry is made into the USN Journal or not?
NOT [1]
I can tell you the same in a few other languages, if you want, but besides that I would like to remind you that - provided that somebody will chime in actually stating that "every time a drive is connected and read, regardless or anything being written, that some entry is made into the USN Journal" that statement would need anyway need to be validated and the actual behaviour reproduced (just like the one I made about that NOT happening which at the moment is only something written by a random person on the internet ).
Since it is not rocket science, nor brain surgery, in the time you revolved about this question, you could have well made between 10 and 100 experiments connecting to Windows 7 systems between 5 and 50 different USB mass storage devices of different types (flash, HDD, SDD's) and different brands and different sizes.
jaclaz
[1] to the best of my knowledge, the full statement remaining
There is NO known evidence (and you didn't provide any meaningful additional one) that two entries (without path/filename) are written to a NTFS volume by Windows 7 upon "only mounting" or "only collecting", or, if you prefer, the simple action of "mounting" a (NTFS) voume or "connecting" a USB device containing one such volume, particularly if a "same" disk is connected to a "same" PC/install.
P.S. BTW, isn't this the SAME question as here?