Little additional info: the UsnJrnl is not cyclic, it just allocates new disk space as it grows, leaving the older records as data slack. This means you can carve them. There is a different tool called NTFS log tracker which works very similar but also takes the free disk space from you FTK/Encase/XWF and actually restores “deleted“ records. This way you can go months back
Great Video!!!I Really appreciate your work. It looks that ANJP is not accessible any more via official web-page. Is there any alternative URL to get it, please :-)
I am actually working on an updated episode featuring Eric Zimmerman's MFTECmd, which can be used to parse the $MFT and $J from $UsnJrnl. It does not yet support $LogFile.
@@artemermakov261 The author has apparently discontinued the tool. Eric Zimmerman's MFTECmd is a good alternative, and I will have a video covering it later.
Awesome thank you! Is the tool now free? One request video if possible!! Could you possibly do a whole DFIR investigation on one box. Say steps you’d take for imaging the hose, DF Analysis, timeline analysis is, then memory analysis? Awesome content. Very helpful
Thanks - and to answer your question, yes and no. There is a free version of the tool, which is what I was using here. There is also a paid commercial version available that provides additional features. And regarding your request -- that's actually in-work. It's a scenario-based episode involving IP theft, showing triage image acquisition and analysis.
Can anyone please advise, what happens when you run the command: 'fsutil usn deletejournal /N /D C:' at the command prompt? I have heard it clears the usn journal. What does this mean? Is the usn journal actually permanently lost? I believe the command is run to fix corrupted volumes (eg: which prevent chkdsk and defrag from running). How dangerous is it to run this delete journal command?
This is probably a better explanation than I can (quickly) give you: "Deleting the journal is usually safe, but can have consequences. Applications that are using it will not see file changes between the last time the application ran and when the journal was deleted. Well-programmed applications will detect that the journal was deleted and will revert to an alternative method of finding changed files." See: www.wilderssecurity.com/threads/does-delete-the-journal-speed-up-or-keep-an-os-healthy.375079/
Silly question. So these artifacts would be beneficial In a case where the objective is to determine if certain documents were deleted after a specified date?
That's one use case -- potentially being able to determine that something was deleted, and *when* it was deleted. File renames, moves, and many other OpCodes are tracked by the journals. Check out the follow-up episode here: th-cam.com/video/_qElVZJqlGY/w-d-xo.html
@@13Cubed I just used these artifacts in a theft of IP case to locate show that a document existed on the users desktop at some point. Thanks for the informative video.
what if you delete the file with an application that actually writes zeroes on the disk (instead of setting the deleted flag), can you still retrieve it here ?
No, if a file is overwritten with null bytes or random data, your best bet for recovery would be via volume shadow copy, if the file happened to still be present in one of those copies.
Try MFTECmd from Eric Zimmerman, which will parse $MFT and $UsnJrnl (specially the $J ADS). $LogFile support is coming, but not available as of now. I am working on a new episode that will cover this. You can look for it in Q1 of next year.
Great tutorial! How can I use this to inspect renaming of the files? I am studying DF module and one of the tasks is to find how files were moved and renamed. When I put the name of the file the only result I get is where it was placed on disk and then that it was moved to the different directory. How to track file renaming eg: Secret.txt -> Santa.mp3? Cheers.
You'll find a file renames section within ANJP. Shimcache may also help you here (for executables). If an executable is renamed, it will be re-shimmed. If the M times tracked by the shimcache match exactly (especially up to 64-bit resolution), there is high confidence you are looking at the same file. Also, shimcache parsing tools will place the newest (most recently shimmed) entries at the top of the list. So, if you see evil.exe with X M-Time, and then above that you see svchost.exe with the same X M-Time, you're probably looking at the same file that has been renamed from evil.exe to svchost.exe.
@@13Cubed Thanks for fast reply. After watching another tutorial (webinar) I have found the solution. If you click on "usn record listing" (the one that shows all the transaction events), you can check the "usn record reason" for the file or directory and the most important "usn rcd file ref#". So in a nutshell if the file has been renamed, you can filer by the "usn rcd file ref#" and it will show you original and the renamed file. That doesn't apply if you change the directory of the file for some reason. Hope that makes sense. The webinar I was talking about th-cam.com/video/zKZlXhU2MJQ/w-d-xo.html - the renaming solution starts at 27:30. I would like to add one more thing when you are looking for directory or a file/files that you don't know the full name or path use the %% syntax. Eg: "%\Users\Delikwent\Desktop\secret%" Cheers.
See the video's description :) "Triforce ANJP is no longer available. After you've watched this episode, please check out "Introduction to MFTECmd" which covers the same information in greater detail, and highlights an alternative tool to parse these artifacts."
Not sure I understand what you are asking. The MFT will point to the cluster run on disk (unless the file is resident), and there would be logfile transactional data to accompany that file (depending on the timeframe, of course).
The developer discontinued it. Notice the description of the episode which points you to a new episode and a new tool: th-cam.com/video/_qElVZJqlGY/w-d-xo.html
Little additional info: the UsnJrnl is not cyclic, it just allocates new disk space as it grows, leaving the older records as data slack. This means you can carve them. There is a different tool called NTFS log tracker which works very similar but also takes the free disk space from you FTK/Encase/XWF and actually restores “deleted“ records. This way you can go months back
Very interesting - thanks for sharing that!
Great Video!!!I Really appreciate your work. It looks that ANJP is not accessible any more via official web-page. Is there any alternative URL to get it, please :-)
I am actually working on an updated episode featuring Eric Zimmerman's MFTECmd, which can be used to parse the $MFT and $J from $UsnJrnl. It does not yet support $LogFile.
@@13Cubed BTW, do you know what happened with gettriforce web-page? Why it doesn't accessible any more?
@@artemermakov261 The author has apparently discontinued the tool. Eric Zimmerman's MFTECmd is a good alternative, and I will have a video covering it later.
Awesome thank you! Is the tool now free?
One request video if possible!!
Could you possibly do a whole DFIR investigation on one box. Say steps you’d take for imaging the hose, DF Analysis, timeline analysis is, then memory analysis?
Awesome content. Very helpful
Thanks - and to answer your question, yes and no. There is a free version of the tool, which is what I was using here. There is also a paid commercial version available that provides additional features.
And regarding your request -- that's actually in-work. It's a scenario-based episode involving IP theft, showing triage image acquisition and analysis.
13Cubed I just downloaded it today at work! Going to give it a go later.
Can’t wait for that video. It will be awesome!
You are awesome and really talented
Thanks!!. Very illustrative and helpful video.
There's quite a noticeable distance between the Like & Dislike button, I wonder how one could accidentally click on the latter.
Can anyone please advise, what happens when you run the command: 'fsutil usn deletejournal /N /D C:' at the command prompt? I have heard it clears the usn journal. What does this mean? Is the usn journal actually permanently lost? I believe the command is run to fix corrupted volumes (eg: which prevent chkdsk and defrag from running). How dangerous is it to run this delete journal command?
This is probably a better explanation than I can (quickly) give you: "Deleting the journal is usually safe, but can have consequences. Applications that are using it will not see file changes between the last time the application ran and when the journal was deleted. Well-programmed applications will detect that the journal was deleted and will revert to an alternative method of finding changed files." See: www.wilderssecurity.com/threads/does-delete-the-journal-speed-up-or-keep-an-os-healthy.375079/
Awesome videos as always!
Silly question. So these artifacts would be beneficial In a case where the objective is to determine if certain documents were deleted after a specified date?
That's one use case -- potentially being able to determine that something was deleted, and *when* it was deleted. File renames, moves, and many other OpCodes are tracked by the journals. Check out the follow-up episode here: th-cam.com/video/_qElVZJqlGY/w-d-xo.html
@@13Cubed I just used these artifacts in a theft of IP case to locate show that a document existed on the users desktop at some point. Thanks for the informative video.
what if you delete the file with an application that actually writes zeroes on the disk (instead of setting the deleted flag), can you still retrieve it here ?
No, if a file is overwritten with null bytes or random data, your best bet for recovery would be via volume shadow copy, if the file happened to still be present in one of those copies.
Thank you so much for all amazing educational videos.
Hi .. I am not able to find this tool anywhere on the internet. Requesting help from forensics lovers. Thanks.
Try MFTECmd from Eric Zimmerman, which will parse $MFT and $UsnJrnl (specially the $J ADS). $LogFile support is coming, but not available as of now. I am working on a new episode that will cover this. You can look for it in Q1 of next year.
@@13Cubed much appreciate your response. Thanks and have a rocking successful new year ahead 🤠.
@@13Cubed Thanks for the info. Playing with MFTECmd this weekend. SANS Zimmerman poster also helpful for command syntax and files to export.
Great tutorial! How can I use this to inspect renaming of the files? I am studying DF module and one of the tasks is to find how files were moved and renamed. When I put the name of the file the only result I get is where it was placed on disk and then that it was moved to the different directory. How to track file renaming eg: Secret.txt -> Santa.mp3? Cheers.
You'll find a file renames section within ANJP. Shimcache may also help you here (for executables). If an executable is renamed, it will be re-shimmed. If the M times tracked by the shimcache match exactly (especially up to 64-bit resolution), there is high confidence you are looking at the same file. Also, shimcache parsing tools will place the newest (most recently shimmed) entries at the top of the list. So, if you see evil.exe with X M-Time, and then above that you see svchost.exe with the same X M-Time, you're probably looking at the same file that has been renamed from evil.exe to svchost.exe.
@@13Cubed Thanks for fast reply. After watching another tutorial (webinar) I have found the solution. If you click on "usn record listing" (the one that shows all the transaction events), you can check the "usn record reason" for the file or directory and the most important "usn rcd file ref#". So in a nutshell if the file has been renamed, you can filer by the "usn rcd file ref#" and it will show you original and the renamed file. That doesn't apply if you change the directory of the file for some reason. Hope that makes sense.
The webinar I was talking about th-cam.com/video/zKZlXhU2MJQ/w-d-xo.html - the renaming solution starts at 27:30.
I would like to add one more thing when you are looking for directory or a file/files that you don't know the full name or path use the %% syntax. Eg: "%\Users\Delikwent\Desktop\secret%"
Cheers.
Thanks for the video...
Where can we find this tool, i have looked all over the web and nothin
See the video's description :)
"Triforce ANJP is no longer available. After you've watched this episode, please check out "Introduction to MFTECmd" which covers the same information in greater detail, and highlights an alternative tool to parse these artifacts."
Is there any difference in mft or in logfile record if i extract those files from disk image ? (not from live disk)
Not sure I understand what you are asking. The MFT will point to the cluster run on disk (unless the file is resident), and there would be logfile transactional data to accompany that file (depending on the timeframe, of course).
@@13Cubed another question, is it possible to clean logfile without reformating the drive ?
why did this tool just disappear ?
The developer discontinued it. Notice the description of the episode which points you to a new episode and a new tool: th-cam.com/video/_qElVZJqlGY/w-d-xo.html
@@13Cubed I see. Ill check out the video but I did really like the simplicity of anjp
@@smh4536 I think you'll like MFTECmd for parsing the $MFT and $UsnJrnl (no $LogFile support yet). It's very straightforward and easy to use.
How can I download this soft? Are there free alternative?
You can boot from a usb and mount the windows partition. The $ files are hidden so just open the terminal and type file “$MFT”