Hello Reader,
Today I want to talk about something I find very exciting. You know how much we enjoy USN journals but as with all the best artifacts its limited in scope as to amount of time the journal goes back. We previously found joy in the fact that USN Journals are included in the Volume Shadow Copies meaning we could recover much more data about what happened in the past, but now we can get even more!
I was under the misconception in the past that USN Journals like the $logfile was a circular log, meaning the data at the beginning of the journal would be overwritten when the space allocated ran out. This belief though did not line up with what we saw in the journal itself, we just kept seeing blocks of 0's assigned and no overwritten records. After talking to Troy Larson though I now understand that this behavior is due to the fact that the journal is not circular but rather pages are allocated and deallocated as the journal grows.
Why is this exciting? This means that old records are not overwritten just deallocated and hanging out in the unallocated space in the partition. That means we can carve for these records and recover much more USN Journal data. USN Journal data when carved is especially useful as a record contains everything you need to know within (timestamp, file reference number, filename, etc...) nothing leading up to or proceeding a record will detract from the value of carving even a single record.
Currently I know X-ways Forensics supports carving these entries and we will be coming out with carving signatures for you to use as well. This is great news and will lead to even more great evidence! As we move forward with the commercial version of the Triforce you should expect to see this carving functionality built in as well.
Today I want to talk about something I find very exciting. You know how much we enjoy USN journals but as with all the best artifacts its limited in scope as to amount of time the journal goes back. We previously found joy in the fact that USN Journals are included in the Volume Shadow Copies meaning we could recover much more data about what happened in the past, but now we can get even more!
I was under the misconception in the past that USN Journals like the $logfile was a circular log, meaning the data at the beginning of the journal would be overwritten when the space allocated ran out. This belief though did not line up with what we saw in the journal itself, we just kept seeing blocks of 0's assigned and no overwritten records. After talking to Troy Larson though I now understand that this behavior is due to the fact that the journal is not circular but rather pages are allocated and deallocated as the journal grows.
Why is this exciting? This means that old records are not overwritten just deallocated and hanging out in the unallocated space in the partition. That means we can carve for these records and recover much more USN Journal data. USN Journal data when carved is especially useful as a record contains everything you need to know within (timestamp, file reference number, filename, etc...) nothing leading up to or proceeding a record will detract from the value of carving even a single record.
Currently I know X-ways Forensics supports carving these entries and we will be coming out with carving signatures for you to use as well. This is great news and will lead to even more great evidence! As we move forward with the commercial version of the Triforce you should expect to see this carving functionality built in as well.
Also Read: Daily Blog #358
Post a Comment