Friday, February 12, 2021

DIGITAL FORENSICS:NTFS Journal Viewer

 DIGITAL FORENSICS:NTFS Journal Viewer

NTFS Journal Viewer (JV) is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.

The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https://github.com/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.

$UsnJrnl
The NTFS change journal ($UsnJrnl) is an operating system file that records when changes are made to files and directories. The change journal is located at $Extend\$UsnJrnl. The journal contains two alternate data streams as detailed below:

  • $UsnJrnl:$J – Contains the actual journal entries
  • $UsnJrnl:$MAX – contains metadata about the $UsnJrnl


The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation.

The $UsnJrnl:$J contains useful information as detailed below:

  • File/directory name
  • File/directory attributes
  • USN Reason
  • Time of activity
  • USN reference number
  • MFT reference number
  • MFT parent reference number
  • Security ID
  • Source info

1)      Open JournalViewer.exe

2)      Click the “$J” button and then click the “OK” button. 

Click c: and Ok

   “$UsnJrnl_$J.bin” should be created in the NTFS Journal Viewer Folder. 

 3) click the “Open File” button and select the “$UsnJrnl_$J.bin” file 
Review the results  to  user activity on   computer. 
Search key word.

Search *.exe
check Date & Time 


Credit:


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #MOBILEFORENSICS #$USNJRNL

No comments:

Post a Comment