Daily Blog #345: Extracting USN Journals in X-ways Forensics

Extracting USN Journals in X-ways Forensics

Hello Reader,
       Today we have a guest post from Blazer Catzen, of Catzen forensics,  who was nice enough to write up the procedure necessary to extract out USN Journals with X-ways forensics in a way that makes the file more accessible with other tools. Let me explain what I mean by more accessible, X-ways correctly places no timestamps on a file that has none when an alternate data stream is exported. ADS have no timestamp attribute so applying one is artificial and applying one is something they allow the user to do. This is handy as the win32 api really wants to have a timestamp when it is opening a file and many tools will fail if it does not have one. So here is Blazer's writeup on how to do it:

Extracting USN Journals in X-ways Forensics

Xways comes with license for WinHex

Process as follows
1 locate USN$J and note that it has children (the dots along the bottom)

Extracting USN Journals in X-ways Forensics

2 Go into the “child”, in this case the ADS

Extracting USN Journals in X-ways Forensics

And select recover copy

Extracting USN Journals in X-ways Forensics

NOTE Output ADS as files check box

Extracting USN Journals in X-ways Forensics


And as you so aptly noted … no dates… tunneling did give a created date but no modified and anjp (WinAPI wants both….. so picky)

Extracting USN Journals in X-ways Forensics


Close XWF – Open WInHex – Open $J and file- save as ….

Extracting USN Journals in X-ways Forensics


 And now your new file will have dates

Extracting USN Journals in X-ways Forensics

And will open up with other programs that rely on the win32 api to open file handles, such as Triforce.

Also Read: Daily Blog #344

Post a Comment