Notifications

Clear all

Tracking history of a file

wotsits · 2016-04-14T04:42:19Z

Say you have an external storage drive, and on it contains a file or folder that Mr. Suspect would want to distance himself from.There's no trace of this file or folder on any of his other devices such as his computer that has enough of his own data on their to prove he's the user, then there's very little else on the said external storage media that has anything to link to him to show he was a user and knew of the file/folder. Besides the fact it was found in his vicinity, he could use any number of excuses to distance himself from it such as he found it, bought it on ebay, someone else left it there, it was planted, etc.Is there any way to dig deeper into the file/folder or the history of the storage device to track what has happened or been done with it in the past?Other than the obvious date last modified and date created superficial data, is there any list of times it was accessed, times it was copied, where to, etc?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 9 years ago

16 Posts

9 Users

0 Reactions

4,317 Views

RSS

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

27/04/2016 10:14 pm

As this is an NTFS volume, you could try extracting $LogFile and parse it with; https://github.com/jschicht/LogFileParser

You could also check if there are volume shadow copies there, or if $UsnJrnl is active too. Both which would likely bring more nice details into the analysis.

ReplyQuote

wotsits

(@wotsits)

Reputable Member

Joined: 10 years ago

Posts: 253

Topic starter 28/04/2016 6:16 pm

Can you please provide some guidance on extracting the LogFile and checking for USNJrnl? I don't know anything about these.

Thanks

ReplyQuote

kacos

(@kacos)

Trusted Member

Joined: 10 years ago

Posts: 93

28/04/2016 6:47 pm

Can you please provide some guidance on extracting the LogFile and checking for USNJrnl? I don't know anything about these.

Thanks

Open the image file with FTK imager.
The $logfile is in the [root] folder and the $USNJrnl in the $Extend 'sub-folder'. Right click on each one and select 'Export Files'.

ReplyQuote

Bunnysniper

(@bunnysniper)

Reputable Member

Joined: 13 years ago

Posts: 259

28/04/2016 7:01 pm

Can you please provide some guidance on extracting the LogFile and checking for USNJrnl? I don't know anything about these.

Thanks

My opinion this questions goes beyond the usual support i am willing to accept or reply to. Obviously you have no knowledge about NTFS and should start with a learning session and read a few books. "File System Forensic Analysis" from Brian Carrier http//www.digital-evidence.org/fsfa/ is a must-have for any Digital Forensics worker. The Forensic Wiki http//forensicswiki.org/wiki/New_Technology_File_System_(NTFS) is a good starting place, too. To get a first impression about the USNJournal and LogFile, you should read the tool related documentation from Joakim Schicht, one of the leading experts for NTFS forensics and a great tool developer. He answered above and mentioned the link to his github site already.

happy reading,
Robin

ReplyQuote

wotsits

(@wotsits)

Reputable Member

Joined: 10 years ago

Posts: 253

Topic starter 29/04/2016 5:12 pm

Thanks for all your replies.

The USN Journal and Logfile appear to be areas of interest I want to follow on this. I will spend some more time learning about NTFS but unfortunately on this occasion I must get to a conclusion a bit quicker on this.

If I take another external hard drive that doesn't need to be used as evidence so can be handled any which way, when I plug it in how can I access the USN Journal then?

If I can try to establish it's the right thing to look at then I can spend more time in trying to obtain it in the seized drive, as I don't have FTK as the previous posted mentioned.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

01/05/2016 12:00 am

There is no *need* to use specifically FTK. (though FTK imager is anyway freely available)

You can retrieve the "hidden" file system structure files of NTFS with DMDE (if from a disk/volume) or even with 7-zip (if an image), and of course the one or the other tool by joakims offer the same possibilities of extracting files from the filesystem or from an image..

Still, without a more than basic understanding on the workings of the filesystem and of the OS in use, as Bunnysniper said before, it is unlikely that you will get anything of value by using those tools, as the matter is really complex and is prone to lead to "wrong" conclusions in the interpretation of the artifacts.

jaclaz

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
239 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed