Tuesday, June 3, 2014

Daily Blog #345: Extracting USN Journals in X-ways Forensics

Hello Reader,
       Today we have a guest post from Blazer Catzen, of Catzen forensics,  who was nice enough to write up the procedure necessary to extract out USN Journals with X-ways forensics in a way that makes the file more accessible with other tools. Let me explain what I mean by more accessible, X-ways correctly places no timestamps on a file that has none when an alternate data stream is exported. ADS have no timestamp attribute so applying one is artificial and applying one is something they allow the user to do. This is handy as the win32 api really wants to have a timestamp when it is opening a file and many tools will fail if it does not have one. So here is Blazer's writeup on how to do it:

Xways comes with license for WinHex

Process as follows
1 locate USN$J and note that it has children (the dots along the bottom)

2 Go into the “child”, in this case the ADS

And select recover copy

NOTE Output ADS as files check box

And as you so aptly noted … no dates… tunneling did give a created date but no modified and anjp (WinAPI wants both….. so picky)

Close XWF – Open WInHex – Open $J and file- save as ….

 And now your new file will have dates

And will open up with other programs that rely on the win32 api to open file handles, such as Triforce