by Dr. Radut

FCNS_UsnJrnl

FCNS_UsnJrnl is a EnScript for carving and parsing NTFS Change Journals Record. 

FCNS UsnJrnl 01

Open the case or create new case, add evidence then launch this EnScript. The following options are available.

  • Target          
    • Selected: blue-checked file/object
    • Other - $UsnJrnl·$J, $LogFile, pagefile.sys, Unallocated Clusters: enable/disable by each check box
  • Filtering Option          
    • From/To: specify date range
    • Skip duplication records: it takes much time if it found many records
  • Export          
    • LEF File: specify the file path for carving UsnJrnl Record
    • TSV File: specify the file path for parsing UsnJrnl Record
    • Integrate output records (TSV File)    

Download

FCNS_UsnJrnl_1.0.1.EnPack (SHA1: 8ee537493e3b405132b28823cde21f9492b218e7)

License

You may use the SOFTWARE freely for personal or commercial and NO WARRANTIES.

Requirements

EnCase 7.x

Background

Change Journals is a mechanism for recording any change with files/folders in NTFS file system. Change Journals is enabled by default at system drive (C volume) in Windows 2003 or later version. Third party applications such as backup/antivirus use this mechanism to speed up a check, it's valuable information for forensic investigation.

The structure of Change Journals record is published by Microsoft and there are some tools that parse record. However, there is still pretty room for improvement about carving unallocated space and merging with the result of parsing.

Feature

FCNS_UsnJrnl is based on USN_RECORD_V2 structure, searches following signature with selected files/objects.

..\x00\x00\x02\x00\x00\x00..................................................\x3C\x00

Offset 4-5 is the record structure version of Change Journals, "\x02\x00" indicates USN_RECORD_V2. According to the Microsoft, USN_RECORD_V3 is defined but Windows 8.1 (and Windows 10 Technical Preview) records Change Journals with USN_RECORD_V2, so FCNS_UsnJrnl search only USN_RECORD_V2.

Usually the maximum size of Change Journals is about tens of megabytes. As far as I know, if it fill up a storage of Change Journals, past area is released and is allocated new area. Therefore previous Change Journals record remain in unallocated area. Also, cache exists in page file.sys and $LogFile so you can get more information if you search these area.

There is a "Reason" variable indicating bit flag within the record. For example "0x00000100" is USN_REASON_FILE_CREATE which indicates creating file, "0x00008000" is USN_REASON_BASIC_INFO_CHANGE which indicates changing attribute. There a variety of pattern of Reason because such examples combined. If tool shows "Reason" information by bit flag, I think it's hard to analyze. So FCNS_UsnJrnl shows simple information to Reason(String) column in the following Strings.

FCNS UsnJrnl 02

Reasonの内容に応じて以下のいずれかに分類してReason(String)項目に出力します。    

  • RENAME(NEW)
  • RENAME(OLD)
  • DELETE
  • CREATE
  • DATA
  • CLOSE
  • META
  • ADS
  • COMP/EFS
  • OBJECT_ID
  • REPARSE
  • OTHER

In addition Change Journals records transcation by individually, if tool parses all of the records I think it's too many information. For example, when a flood of data is added to a file, Change Journals store a number of similar records. If you choose "Integrate output records" option when running FCNS_UsnJrnl, it summarizes a contiguous records for one file. If it is checked this option with sample of earlier screenshot, the result is the following.

FCNS UsnJrnl 03

 

Reference

Change Journals
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363798(v=vs.85).aspx

USN_RECORD_V2 structure
http://msdn.microsoft.com/en-us/library/windows/desktop/aa365722(v=vs.85).aspx

History

2015/04/19

I added "VSS" in Target - Other. The EnScript have also adjusted timezone with evidence.