$UsnJrnlata also shows in the $LogFile with the MFT record for $UsnJrnl.
$UsnJrnl does show up properly in FTK Imager version 3.1.1 as a 0 size file.
If we look at the $UsnJrnl file, we can see that it contains two Alternate Data Streams ( ADS ) one $J that contains all the changes to files and directories; and $Max that contains FILETIME based date that is used as Usn Journal ID. ( fsutil usn queryjournal c: )
Usn Journal ID : 0x01cb228e91afda72
First Usn : 0x0000000040340000
Next Usn : 0x00000000427485a8
Lowest Valid Usn : 0x0000000000000000
Max Usn : 0x7fffffffffff0000
Maximum Size : 0x0000000002000000
Allocation Delta : 0x0000000000400000
First Usn : 0x0000000040340000
Next Usn : 0x00000000427485a8
Lowest Valid Usn : 0x0000000000000000
Max Usn : 0x7fffffffffff0000
Maximum Size : 0x0000000002000000
Allocation Delta : 0x0000000000400000
$UsnJrnl does not exists by default on USB thumb drives unless the administrator decides to create it manually. Thus, even if you have the application that can interpret the data structure, you need to make sure if it is suppose to exist. You can run fsutil usn enumdata 1 0 1 C:, where C: is the drive you want to view if it has this service enabled. Anyone with administrative right can create this journaling on any NTFS drive,
fsutil usn createjournal m=1000 a=100 C:. Also, this data can be deleted from the device
fsutil usn deletejournal /D C:.
Reason decoded in this example: 07 80 00 80 -> 0x80008007
0x80000000 close
0x00000001 overwritten
0x00000004 truncated
0x00000002 extended
0x00008000 A user has either changed one or more file or directory attributes, or one or more time stamps.
------------------------------------------
0x80008007 result to be saved in journal
Version 2 structure
0x80000000 close
0x00000001 overwritten
0x00000004 truncated
0x00000002 extended
0x00008000 A user has either changed one or more file or directory attributes, or one or more time stamps.
------------------------------------------
0x80008007 result to be saved in journal
Version 2 structure
typedef struct {
DWORD RecordLength; WORD MajorVersion; WORD MinorVersion; DWORDLONG FileReferenceNumber; DWORDLONG ParentFileReferenceNumber; USN Usn; LARGE_INTEGER TimeStamp; DWORD Reason; DWORD SourceInfo; DWORD SecurityId; DWORD FileAttributes; WORD FileNameLength; WORD FileNameOffset; WCHAR FileName[1];} USN_RECORD_V2, *PUSN_RECORD_V2, USN_RECORD, *PUSN_RECORD; Version 3 structuretypedef struct {
DWORD RecordLength;
WORD MajorVersion;
WORD MinorVersion;
BYTE FileReferenceNumber[16];
BYTE ParentFileReferenceNumber[16];
USN Usn;
LARGE_INTEGER TimeStamp;
DWORD Reason;
DWORD SourceInfo;
DWORD SecurityId;
DWORD FileAttributes;
WORD FileNameLength;
WORD FileNameOffset;
WCHAR FileName[1];
} USN_RECORD_V3, *PUSN_RECORD_V3;
http://msdn.microsoft.com/en-us/library/aa365722%28VS.85%29.aspx
Testing Procedures
1. Default USB Drive Configuration
11/20 1:44pm copy file1.txt to g:\
copy f.txt 1:45
copy g.txt 1:45
open file1.txt 1:45
added to file1.txt 1:46
copy h.txt 1:47
copy test.jpg 1:48
added to file1.txt 1:50
added journaling 1:54
fsutil usn createjournal m=1000 a=222 g:
2. After Journaling Enabled
g.txt h.txt deleted 1:53
added to file1.txt 1:54
copied f.txt h.txt g.txt back to drive 1:55 f.txt overwritten
copied test2.jpg 1:56
added to file1.txt 1:57
reduced file1.txt 1:58
deleted f.txt g.txt 1:59
added to file1.txt 2:00
file1.txt closed
file1.txt renamed to changed.txt 2:02
test.jpg, test2.jpg deleted with shift 2:02
changed added to closed 2:05
3. Tool used to extract journal data
E:\>jp -file JournalExample.txt
license is authenticated: registered to Demo; TZWorks LLC [non-commercial use only]
jp ver: 0.99, Copyright (c) TZWorks LLC
date, time, filename, type change,
11/20/2012, 19:53:19.162, h.txt, file_deleted; file_closed
11/20/2012, 19:53:19.180, g.txt, file_deleted; file_closed
11/20/2012, 19:54:50.109, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 19:55:27.100, g.txt, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:55:27.152, h.txt, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:55:28.869, f.txt, data_overwritten; file_added; file_truncated; attrib_changed; file_closed
11/20/2012, 19:56:26.975, test2.jpg, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:58:20.194, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 19:58:46.229, file1.txt, data_overwritten; file_truncated; file_closed
11/20/2012, 19:59:12.154, g.txt, file_deleted; file_closed
11/20/2012, 19:59:12.164, f.txt, file_deleted; file_closed
11/20/2012, 20:01:02.624, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 20:01:54.041, changed.txt, file_renamed; file_closed
11/20/2012, 20:02:24.337, test.jpg, file_deleted; file_closed
11/20/2012, 20:02:24.347, test2.jpg, file_deleted; file_closed
11/20/2012, 20:05:08.216, changed.txt, data_overwritten; file_added; file_closed
Conclusion
Update your tools and verify if they work as expected. Understand how a service works and know how to enable it so you can test in "real" cases if the service was working properly. Know what time zone information is saved and/or reported by your tools. Know how to verify your findings in Hexviewers. In my case, the changes were correctly identified after I have enabled the journaling on the drive.
1. Default USB Drive Configuration
11/20 1:44pm copy file1.txt to g:\
copy f.txt 1:45
copy g.txt 1:45
open file1.txt 1:45
added to file1.txt 1:46
copy h.txt 1:47
copy test.jpg 1:48
added to file1.txt 1:50
added journaling 1:54
fsutil usn createjournal m=1000 a=222 g:
2. After Journaling Enabled
g.txt h.txt deleted 1:53
added to file1.txt 1:54
copied f.txt h.txt g.txt back to drive 1:55 f.txt overwritten
copied test2.jpg 1:56
added to file1.txt 1:57
reduced file1.txt 1:58
deleted f.txt g.txt 1:59
added to file1.txt 2:00
file1.txt closed
file1.txt renamed to changed.txt 2:02
test.jpg, test2.jpg deleted with shift 2:02
changed added to closed 2:05
3. Tool used to extract journal data
E:\>jp -file JournalExample.txt
license is authenticated: registered to Demo; TZWorks LLC [non-commercial use only]
jp ver: 0.99, Copyright (c) TZWorks LLC
date, time, filename, type change,
11/20/2012, 19:53:19.162, h.txt, file_deleted; file_closed
11/20/2012, 19:53:19.180, g.txt, file_deleted; file_closed
11/20/2012, 19:54:50.109, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 19:55:27.100, g.txt, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:55:27.152, h.txt, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:55:28.869, f.txt, data_overwritten; file_added; file_truncated; attrib_changed; file_closed
11/20/2012, 19:56:26.975, test2.jpg, data_overwritten; file_added; file_created; attrib_changed; file_closed
11/20/2012, 19:58:20.194, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 19:58:46.229, file1.txt, data_overwritten; file_truncated; file_closed
11/20/2012, 19:59:12.154, g.txt, file_deleted; file_closed
11/20/2012, 19:59:12.164, f.txt, file_deleted; file_closed
11/20/2012, 20:01:02.624, file1.txt, data_overwritten; file_added; file_closed
11/20/2012, 20:01:54.041, changed.txt, file_renamed; file_closed
11/20/2012, 20:02:24.337, test.jpg, file_deleted; file_closed
11/20/2012, 20:02:24.347, test2.jpg, file_deleted; file_closed
11/20/2012, 20:05:08.216, changed.txt, data_overwritten; file_added; file_closed
Conclusion
Update your tools and verify if they work as expected. Understand how a service works and know how to enable it so you can test in "real" cases if the service was working properly. Know what time zone information is saved and/or reported by your tools. Know how to verify your findings in Hexviewers. In my case, the changes were correctly identified after I have enabled the journaling on the drive.
No comments:
Post a Comment