DIGITAL FORENSICS:NTFS Journal Viewer
NTFS Journal Viewer (JV) is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.
The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https://github.com/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.
$UsnJrnl
The NTFS change journal ($UsnJrnl) is an operating system file that records when changes are made to files and directories. The change journal is located at $Extend\$UsnJrnl. The journal contains two alternate data streams as detailed below:
- $UsnJrnl:$J – Contains the actual journal entries
- $UsnJrnl:$MAX – contains metadata about the $UsnJrnl
The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation.
The $UsnJrnl:$J contains useful information as detailed below:
- File/directory name
- File/directory attributes
- USN Reason
- Time of activity
- USN reference number
- MFT reference number
- MFT parent reference number
- Security ID
- Source info
1) Open JournalViewer.exe
2)
Click the “$J” button and then click the “OK”
button.
“$UsnJrnl_$J.bin” should be created in the
NTFS Journal Viewer Folder.
Credit:
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
No comments:
Post a Comment