Forums
Main Category
General (Technical,...
USN Journal and Log...
 
Notifications
Clear all

USN Journal and Log file analysis

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by JimC 7 years ago
12 Posts
4 Users
0 Reactions
6,133 Views
RSS
 wotsits
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter 28/09/2018 12:12 am  

Could anyone with experience in analyzing the log files and USN journal of NTFS drives offer their opinions on this –

I'm trying to examine an external drive to get as much detail about activity carried out on it.

Having extracted the USN Journal and log files, it's very clear when files were deleted or placed onto the drive on certain dates/times because it lists the name of the file with the date and activity.

However on some dates there is much less information which I'm trying to discern. For example on one date this is all that's listed

$TxfLog.blf,,Data_Overwritten,Normal,Archive
$TxfLog.blf,,Data_Overwritten/ File_Closed,Normal,Archive

What might this indicate as having happened?


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
28/09/2018 10:23 pm  

A quick Google search revealed this

https://security.stackexchange.com/questions/66236/could-system-volume-information-and-rmmetadata-pose-information-leakage-on-a

I would suggest that more information is required for a more thorough response. For example, I know that this is an external drive, but what do you know about the system it was connected to; specifically, what was the version of the OS? I know that might not be available, but I did find mention of some issues with Win8.1, specifically.

This could simply mean that there was no other activity that day.


   
ReplyQuote
 wotsits
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter 28/09/2018 11:08 pm  

Thanks for your reply.

It was connected to Windows 7.

As said I'm no expert on examining these, so when you say no other activity on that day does that mean no files or folders were even opened? Do these journals and logs record if files are opened at all, or is it only if new files are copied to the drive or existing files are deleted from the drive?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
30/09/2018 1:13 pm  

As said I'm no expert on examining these,

Nor am I.

…so when you say no other activity on that day does that mean no files or folders were even opened?

I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.


   
ReplyQuote
 wotsits
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter 30/09/2018 8:50 pm  

As said I'm no expert on examining these,

Nor am I.

…so when you say no other activity on that day does that mean no files or folders were even opened?

I'm not saying that at all. I'm saying that based on the snippet you provided from the USN change journal, perhaps there was no other activity.

You'd be better able to determine that, by creating a timeline of activity.

Understood. Perhaps there was no other activity that day.

My question is what sort of activity would generate these snippets and nothing else on that day?


   
ReplyQuote
joakims
 joakims
(@joakims)
Estimable Member
Joined: 15 years ago
Posts: 224
30/09/2018 11:17 pm  

You could also try analyzing the $LogFile. It is recycled though, so if you are looking at FS transactions from some time back, then it might be overwritten. Unless you already found a tool for decoding it, you could try this one https://github.com/jschicht/LogFileParser

Regarding UsnJrnl there are also a couple of tools you could try; https://github.com/jschicht/ExtractUsnJrnl and https://github.com/jschicht/UsnJrnl2Csv

The UsnJrnl might be worth scanning for fragments of in unallocated space on the volume (if there is a significant time between target FS operations and when disk was imaged). Extract unallocated with a tool capable of it, then use UsnJrnl2Csv in scan mode on it.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
01/10/2018 11:51 am  

My question is what sort of activity would generate these snippets and nothing else on that day?

Generate a timeline of system activity. That will show you.


   
ReplyQuote
 wotsits
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter 01/10/2018 1:44 pm  

You could also try analyzing the $LogFile. It is recycled though, so if you are looking at FS transactions from some time back, then it might be overwritten. Unless you already found a tool for decoding it, you could try this one https://github.com/jschicht/LogFileParser

Regarding UsnJrnl there are also a couple of tools you could try; https://github.com/jschicht/ExtractUsnJrnl and https://github.com/jschicht/UsnJrnl2Csv

The UsnJrnl might be worth scanning for fragments of in unallocated space on the volume (if there is a significant time between target FS operations and when disk was imaged). Extract unallocated with a tool capable of it, then use UsnJrnl2Csv in scan mode on it.

I just converted the db file that was the USNJournal and LogFile into csv format and then open them in Excel - it's no different right?

You said LogFile is recycled, is USNJournal recycled too?


   
ReplyQuote
joakims
 joakims
(@joakims)
Estimable Member
Joined: 15 years ago
Posts: 224
02/10/2018 12:18 am  

They are both recycled, but in different ways. Don't know which tools you used. It is rather a decoding and dump of data into csv, than a convert. Anyways, importing to Excel should work, at least with the csv's of the tools I linked to. The data decoded from those 2 files are very different. $LogFile is extremely low level on NTFS. $UsnJrnl is higher level and more easy to grasp. For 1 $UsnJrnl entry you may find numerous entries relating to the same action in $LogFile. In most cases you will find that the data found and decoded in $LogFile cover a much smaller period of time than what you could find for $UsnJrnl.


   
ReplyQuote
 wotsits
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter 02/10/2018 3:52 am  

They are both recycled, but in different ways. Don't know which tools you used. It is rather a decoding and dump of data into csv, than a convert. Anyways, importing to Excel should work, at least with the csv's of the tools I linked to. The data decoded from those 2 files are very different. $LogFile is extremely low level on NTFS. $UsnJrnl is higher level and more easy to grasp. For 1 $UsnJrnl entry you may find numerous entries relating to the same action in $LogFile. In most cases you will find that the data found and decoded in $LogFile cover a much smaller period of time than what you could find for $UsnJrnl.

I certainly find the LogFile is substantially smaller than the UsnJrnl.

How are they both recycled 'in different ways'?


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: