NTFS Common Activity Patterns in the Journals $LogFile, $UsnJrnl

Introduction:

NTFS journals play a crucial role in forensic analysis, providing valuable insights into file system activity.

Understanding NTFS Journals:

$UsnJrnl: This journal records file system changes with operation codes that are relatively easy to decipher and well-documented by Microsoft. It provides valuable information on file modifications, deletions, and creations.

$LogFile: Unlike $UsnJrnl, $LogFile events are less clear and poorly documented. However, they contain detailed information about files, including MFT attributes and $130 index records, making them valuable for forensic analysis.

Analytical Approaches:

Deciphering $UsnJrnl: By analyzing operation codes in $UsnJrnl, analysts can identify common file system activities such as file modifications, deletions, and creations. Microsoft's documentation serves as a valuable resource for understanding these codes.

Exploring SLogFile Events: Despite their complexity, SLogFile events offer rich insights into file system activity. Analysts can extract meaningful context from these events, leveraging knowledge of NTFS components and patterns.

Patterns to Look For:

Useful Filters and Searches in the Journals:

1. Parent Directory Filters:

• C:\Windows & C:\Windows\System32: Monitor changes in these directories to detect potential malicious activity, as attackers often disguise malware as legitimate Windows executables.

• C:\Prefetch: Track deletions and modifications to prefetch files, which can provide insights into attackers' tactics, techniques, and procedures (TTPs).

• Attacker's Working Directories: Identify directories used by attackers to store files, providing valuable indicators of compromise (IOCs) for investigation.

• Temp Directories: Monitor temporary directories for suspicious executables or scripts, which may indicate initial exploitation of victim machines. 2. File Type and Name Searches:

• Executable Files: Search for common executable extensions such as .exe, .dll, .sys, and .pyd to identify potentially malicious files.

• Scripts: Look for script files (.ps1, .vbs, .bat) that may indicate scripting-based attacks or malware execution.

• Archive Files: Monitor archive files (.rar, .zip, .cab) for the presence of compressed malicious payloads.

• IOC Files and Folder Names: Search for known IOC names or patterns discovered during the investigation to identify related files or directories.

Conclusion:

NTFS journal analysis offers a powerful tool for forensic investigators to gain insights into file system activity and track changes over time. By leveraging both $UsnJrnl and SLogFile events, investigators can enhance the depth and context of their analysis, leading to more comprehensive and effective forensic investigations.

Akash Patel