Thursday, December 12, 2013

Daily Blog #172: Solving Sunday Funday 12/1/13 Part 6 Using the $logfile to find deletions

Hello Reader,
          In our previous post we found the artifacts related to the files we recovered in the USN journal being created and modified. However the question still remains, what about deletion?

For that we look to the $logfile to an absolute deletion event as seen below for test.txt
So now we found a record for the deletion, to do this I took the file reference number for test.txt, 1600,  and searched from it within the $logfile looking for the deletion event code 'DeallocateFileRecordSegment'.

Next we need to know when this occured as there is no timestamp for this event. To do so manually we can just look right before and after that LSN (205004336) to find a timestamp of an MFT Entry changed.

Doing this gets you the timestamp, 2013-12-10 20:47:25:145:5592 which matches to the last file_delete event in the USN!

This all about validation and analysis and I've gotten some funky results from this test where I've tested this $logfile against two parsers (ANJP and LogFile Parser) and neither associated the deletion with test.txt. So I am going to find out whats going on and then write another post next week with an update.