Introductions
NTFS, the file system used by Windows operating systems, offers powerful journaling features that provide critical functionality to both the operating system and digital forensic investigations.
Understanding NTFS Journaling:
NTFS employs two separate journals: the $LogFile and SUsnJrnl.
These journals serve different purposes but share the common goal of allowing investigators to trace back moment-by-moment changes to files and folders on a volume. Unlike volume shadow copies, which offer snapshots of the system at specific points in time, NTFS journals continuously monitor changes, providing a more comprehensive view of filesystem activity.
Why Journals collection?
You might be wondering why NTFS file system journals are relevant from a forensic perspective. Well, the answer lies in the wealth of information they contain, which can help us uncover critical evidence of various file-related activities, including creations, deletions, renames, and more
Types of Journals:
1. Update Sequence Number (USN) Journal:
Update Sequence Number (USN) Journal, stored in the root of the volume as the $USNJRNL\$Extend file. Within this file, you'll find alternate data streams $MAX and $J, with $J being the one containing the crucial data.
The $UsnJrnl logs higher-level actions, such as file and directory changes, allowing applications like antivirus and backup software to efficiently track new or modified files. Similar to a cockpit voice recorder, the $UsnJrnl provides situational awareness recording of the changes that occurred, offering valuable insights into system activity.
2. Log File:
The $LogFile is another journal located in the volume root, separate from the $Extend directory.
The $LogFile serves as a low-level transactional log, recording detailed changes to the file system. It provides resiliency to NTFS by enabling the system to restore itself to a consistent state in the event of critical errors. Analogous to a flight data recorder on an airplane, the $LogFile offers meticulous tracking of system changes, ensuring the integrity and reliability of the file system.
Forensic Analysis:
While both journals offer valuable insights, they have limited lifespans, typically lasting only days to weeks on busy systems. The USN Journal's typical size is around 32 MB, while the $LogFile's size averages around 64 MB. Despite their short durations, forensic analysts can utilize volume shadow copies to extend the event horizon, providing access to historical data spanning weeks or even months.
Investigation with Kape.
We'll use KAPE to acquire the NTFS Master File Table (MFT) and journals. Then, we'll employ MFTECmd to parse the MFT and USN Journal, as the $LogFile parsing functionality is not available in MFTECmd.
Kape triage compound target, showcasing snippets of the MFT, $J, $LogFile and link files targets. The output structure of Kape, with raw files and parsed outputs, is detailed, emphasizing the efficiency of this workflow in gathering artifacts for analysis.
Now as Kape can be used as GUI version or Cmd version its depend upon you.
command
Analysis and parsing of these journals will be in next blog post.
Akash Patel
Commentaires