NTFS Log Tracker.pdf

发布时间：2022-06-06 发布人：admin 分类：说明书资料大小：1.87M 资料格式：pdf 举报版权申诉

my_xxh-10163499-4744302543384198265.pdf-第1页.png

第1页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第2页.png

第2页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第3页.png

第3页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第4页.png

第4页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第5页.png

第5页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第6页.png

第6页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第7页.png

第7页 / 共72页

my_xxh-10163499-4744302543384198265.pdf-第8页.png

第8页 / 共72页

文本预览

NTFS Log Tracker FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA blueangel blueangel1275@gmail.com forensic-note.blogspot.kr Junghoon Oh

Index 1. Introduction 2. $LogFile 3. $UsnJrnl 4. NTFS Log Tracker 5. Conclusion forensicinsight.org Page 2

Introduction forensicinsight.org Page 3

Introduction  NTFS’s Log File • • $LogFile : Transaction Log $UsnJrnl : Change Log  Conventional file system forensics for NTFS • • File system event based analysis primarily focusing on $MFT  $MFT : A file containing meta data for all files and directories in NTFS. For deleted files it is possible that there is no meta data in $MFT  Finding artifacts of deleted is very difficulty for the following reasons • In case of system drive( C: ), the OS creates temp files constantly. • A periodic garbage collection since Windows 7. • In case of SSD, unallocated space is arranged by TRIM operation. forensicinsight.org Page 4

Introduction  Analysis of $LogFile and $UsnJrnl • With these files, an investigator can analyze the file system events during a specific period. • The file system events that are not in $MFT can still be analyzed  The history of deleted file  The history of a specific file – $MFT provides only last modified/access time of a file. • • Identify history of access time of a particular file. Identify history of modified time of a particular file. forensicinsight.org Page 5

$LogFile - - - $LogFile ? The Structure of $LogFile The Event Analysis of $LogFile forensicinsight.org Page 6

$LogFile ?  The transaction log file of NTFS • • In case of unexpected system shutdown due to power error or critical system failure, the operating system recovers the status of file system to the previous status with saved information in "$LogFile" file. $LogFile contains all file system transaction records.  The creation of file/directory  The deletion of file/directory  The modification of $data  The modification of MFT entry • Each record has LSN($LogFile Sequence Number).  This LSN information increase sequentially. • • • Each record has the operation data and the data before operation for restoration  Redo : The data after operation  Undo : The data before operation Each volume has $LogFile. It is located at entry number 2 of MFT. Entry Number File Name Stored Information 0 1 2 3 $MFT MFT Entry $MFTMirr Backup of $MFT $LogFile Transaction Log $Volume Volume label, Identifier, Version forensicinsight.org Page 7

$LogFile ?  Size of $LogFile • • • • 64 MB in typical hard disk volume. The size can changed based on volume size but typically it is less than 64 MB. In case of typical computer usage (web surfing, working on documents, etc), the capacity of 64 MB can hold 2 ~ 3 hours of activities in $LogFile records. For forensic readiness, the size of the file should be increased.  Resize of $LogFile • • chkdsk /L  Print current file size “/L : [filesize(KB)]”  Modification of file size forensicinsight.org Page 8

分享到：

赞收藏

资料库

NTFS Log Tracker.pdf

相关推荐

安全技术

热门标签

最新资料