SlideShare a Scribd company logo

(150124) #fitalk advanced $usn jrnl forensics (english)

INSIGHT FORENSIC
INSIGHT FORENSIC

This document discusses the $UsnJrnl journal file in NTFS file systems and its use for digital forensics investigations. The $UsnJrnl file records changes made to files and directories on the system. Tools are discussed for extracting and parsing the $UsnJrnl records to analyze file system activity and trace deleted files. The document also introduces NTFS Log Tracker v1.4, a tool that can carve $UsnJrnl records from unallocated space and perform keyword searches across recovered records.

Technology
1 of 26
Download to read offline
FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA Advanced $UsnJrnl Forensics blueangel blueangel1275@gmail.com http://forensic-note.blogspot.kr/ Junghoon Oh
forensicinsight.org Page 2 1. $UsnJrnl 2. $UsnJrnl Record Carving 3. NTFS Log Tracker v1.4 4. Conclusion
forensicinsight.org Page 3 $UsnJrnl
forensicinsight.org Page 4 $UsnJrnl  This file is used to determine whether any change is occurred in a specific file by applications.  From Win7, Journal Function is activated by default • In case of deactivation setting(in Win XP), it is possible to activate through “Fsutil”. > fsutil usn [createjournal] m=<MaxSize> a=<AllocationDelta> <VolumePath> • For more information about “Fsutil” : http://technet.microsoft.com/en-us/library/cc788042.aspx  The file is composed of “$Max” attribute and “$J“ attribute • $Max : The meta data of change log is stored. • $J : The actual change log records are stored.  Each record has USN(Update Sequence Number) information.  The record order is determined with USN.  USN = the offset value of a record within $J attribute  USN information is also stored in then $STANDARD_INFORMATION attribute of a MFT record Journal(Change) Log File of NTFS
forensicinsight.org Page 5 $UsnJrnl  Location • The file is located under “$Extend” folder.  The size of log data(generally…) • In case of full time use(24 hours/day), the log for 1~2 days are recorded. • In case of regular use(8 hours/day), the log for 4~5 days are recorded.  Forensic Readiness • changing log size bigger(more than 1 GB??)  Digital Forensic Profit • The investigator can confirm every NTFS’s events(creation, deletion, modification…) in specific period. Journal(Change) Log File of NTFS(continue…)
forensicinsight.org Page 6 $UsnJrnl  The size of $Max attribute • 32 Bytes fixed size  The format of $Max attribute The Structure of $Max attribute Offset Size Stored Information Detail 0x00 8 Maximum Size The maximum size of log data 0x08 8 Allocation Size The size of allocated area when new log data is saved. 0x10 8 USN ID The creation time of "$UsnJrnl" file(FILETIME) 0x18 8 Lowest Valid USN The least value of USN in current records With this value, investigator can approach the start point of first record within "$J" attribute
forensicinsight.org Page 7 $UsnJrnl  The log records of variable size are listed consecutively.  • The zero-filled "Sparse Area" occupies front part of an attribute. • The reason for this structure is because the operating system keeps the same size of the log data saved in the $J attribute. • The record allocation policy of $J attribute 1. The new log records are added at the end of the attribute. 2. If the total size of the added records exceeds "Allocation Size", the operation system assures that the size of the entire log data exceeds "Maximum Size". 3. If the size of the entire log data exceeds "Maximum Size", the front area of attribute is occupied by zero as much as size of "Allocation Size".(Actually, disk area is not filled by zero.) • Thus, the logical size of $J attribute grow continuously, but the size of area saving actual data is kept constant. • The general size of log data is 0x200000 ~ 0x23FFFFF The Structure of $J attribute
forensicinsight.org Page 8 $UsnJrnl  After Logical area, there are valid data…  Extracting $J attribute by Encase 6(default “Logical File Only”) • There is no valid data which is located after logical area. The Structure of $J attribute(continue…)
forensicinsight.org Page 9 $UsnJrnl  Encase • Extract $J attribute after selecting “Entire Physical File” option  Winhex • Default, this tool extracts file by Physical Size  ExtractUsnJrnl ( https://github.com/jschicht/ExtractUsnJrnl ) • This tool can extract only valid data except sparse area. Collection of $UsnJrnl
forensicinsight.org Page 10 $UsnJrnl • The reason for using "Parent MFT Reference Number“ instead of "MFT Reference Number"  If "MFT Reference Number“ is used, full path information may not be obtained when relevant file is deleted. The format of record (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Offset Size Stored Information Detail 0x00 4 Size of Record 0x04 2 Major Version 2(Change Journal Software’s major version) 0x06 2 Minor Version 2(Change Journal Software’s major version) 0x08 8 MFT Reference Number "MFT Reference Number" of file or directory that effected by currently change event. 0x10 8 Parent MFT Reference Number "MFT Reference Number" of parent directory of file and directory that effected by currently change event. The full path information can be obtained with this information and $MFT. 0x18 8 USN Update Sequence Number 0x20 8 TimeStamp(FILETIME) Event Time(UTC +0) 0x28 4 Reason Flag The flag of change event 0x2C 4 Source Information The subject that triggers change of event 0x30 4 Security ID 0x34 4 File Attributes The attribute information of the object effected by current event. Generally, it is used for classifying the object into a file or directory. 0x38 2 Size of Filename The size of object name effected by current event 0x3A 2 Offset to Filename The offset of object name within record 0x3C N Filename The object(file or directory) name effected by current event
forensicinsight.org Page 11 $UsnJrnl Reason Flag (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Flag Description 0x01 The file was overwritten. 0x02 The file or directory was added to 0x04 The file or directory was truncated. 0x10 The named data streams for a file is overwritten. 0x20 A named data streams for the file were added. 0x40 A named data streams for the file was truncated 0x100 The file or directory was created for the first time. 0x200 The file or directory was deleted. 0x400 The file's or directory's extended attributes were changed. 0x800 The access rights to the file or directory was changed. 0x1000 The file or directory was renamed.(previous name) 0x2000 The file or directory was renamed.(new name) 0x4000 A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. 0x8000 A user has either changed one or more file or directory attributes or one or more time stamps. 0x10000 A hard link was added to or removed from the file or directory 0x20000 The compression state of the file or directory was changed from or to compressed. 0x40000 The file or directory was encrypted or decrypted. 0x80000 The object identifier of the file or directory was changed. 0x100000 The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory. 0x200000 A named stream has been added to or removed from the file, or a named stream has been renamed. 0x80000000 The file or directory was closed.
forensicinsight.org Page 12 $UsnJrnl Source Information (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Flag Description 0x00 Normal Event 0x01 The operation provides information about a change to the file or directory made by the operating system 0x02 The operation adds a private data stream to a file or directory. 0x04 The operation creates or updates the contents of a replicated file.
forensicinsight.org Page 13 $UsnJrnl File Attribute (http://msdn.microsoft.com/en-us/library/gg258117.aspx) Value Description 0x01 A file that is read-only. 0x02 The file or directory is hidden 0x04 A file or directory that the operating system uses a part of, or uses exclusively. 0x10 The handle that identifies a directory. 0x20 An archive file or directory. 0x40 This value is reserved for system use 0x80 A file that does not have other attributes set. 0x100 A file that is being used for temporary storage. 0x200 A file that is a sparse file. 0x400 A file or directory that has an associated reparse point, or a file that is a symbolic link. 0x800 A file or directory that is compressed. 0x1000 This attribute indicates that the file data is physically moved to offline storage. 0x2000 The file or directory is not to be indexed by the content indexing service. 0x4000 A file or directory that is encrypted. 0x8000 The directory or user data stream is configured with integrity (only supported on ReFS volumes). 0x10000 0 This value is reserved for system use. 0x20000 The user data stream not to be read by the background data integrity scanner (AKA scrubber).
forensicinsight.org Page 14 $UsnJrnl Record Carving
forensicinsight.org Page 15 $UsnJrnl Record Carving  The location of first $UsnJrnl record in disk : 172347352 sector  In a couple of hours…  the space which saves $Usnjrnl record is changed to unallocated space.  There are valid data in this area… $UsnJrnl records in Unallocated Area
forensicinsight.org Page 16 $UsnJrnl Record Carving  Carving function of USN Record in X-way forensics(ToolDisk ToolFile Recovery by Type) • After record carving, the tool saves the records into many files. Existing Tool 1
forensicinsight.org Page 17 $UsnJrnl Record Carving  FCNS_UsnJrnl EnScript • EnPack for Encase 7 • There is no full path information of file or directory. • L01, CSV output Existing Tool 2 17
forensicinsight.org Page 18 $UsnJrnl Record Carving Record Carving Offset Size Stored Information Detail 0x00 4 Size of Record 0x04 2 Major Version 2(Change Journal Software’s major version) 0x06 2 Minor Version 2(Change Journal Software’s major version) 0x08 8 MFT Reference Number "MFT Reference Number" of file or directory that effected by currently change event. 0x10 8 Parent MFT Reference Number "MFT Reference Number" of parent directory of file and directory that effected by currently change event. The full path information can be obtained with this information and $MFT. 0x18 8 USN Update Sequence Number 0x20 8 TimeStamp(FILETIME) Event Time(UTC +0) 0x28 4 Reason Flag The flag of change event 0x2C 4 Source Information The subject that triggers change of event 0x30 4 Security ID 0x34 4 File Attributes The attribute information of the object effected by current event. Generally, it is used for classifying the object into a file or directory. 0x38 2 Size of Filename The size of object name effected by current event 0x3A 2 Offset to Filename The offset of object name within record 0x3C N Filename The object(file or directory) name effected by current event • Signature : x??x??x00x00x02x00x00x00 • Sub-checking Point : USN, TimeStamp, Source Information, Size/Offset of Filename
forensicinsight.org Page 19 $UsnJrnl Record Carving  There are about 30,000,000 records in unallocated space. • There are some records before 10~11 months. • Generally, there are 300,000 records in $UsnJrnl:$J on average.  There are some records before formatting current system. The Result of Record Carving System The size of Unallocated Area The number of recovered records(De-Duplication) The period of recovered records A(Win7 64bit) 72G(HDD) 32,379,635 2014-02-10 ~ 2014-11-03 B(Win7 64bit) 120G(HDD) 36,650,278 2014-01-28 ~ 2014-11-10 C(Win7 64bit) 269G(HDD) 24,907,010 2014-01-28 ~ 2014-11-13 D(Win7 64bit) 120G(HDD) 22,310,563 2013-10-27 ~ 2014-12-23
forensicinsight.org Page 20 NTFS Log Tracker v1.4
forensicinsight.org Page 21 NTFS Log Tracker v1.4 1. $UsnJrnl record carving from unallocated space • Carving result is printed out by page unit. (500,000 records by one page) • The full path information is printed out. (from $MFT) • Indexing page information( In case of more than 3 pages)  After ordering by USN, first and last record’s time information are recorded. 2. Supporting source file extracted by “ExtractUsnJrnl” tool 3. Changing interface of keyword search 4. Supporting Korean keyword search 5. Tab bug is fixed. Updated List ( https://sites.google.com/site/forensicnote/ntfs-log-tracker )
forensicinsight.org Page 22 NTFS Log Tracker v1.4 User interface Source File for Parsing $MFT for Full Path Construction Opening DB file created by this tool Keyword Search Exporting CSV format Parsed Data Output
forensicinsight.org Page 23 NTFS Log Tracker v1.4 • Target field of keyword search  $LogFile : LSN, Event Time, File Name, Full Path  $UsnJrnl : TimeStamp, USN, File Name, Full Path • Using LIKE operation of SQL • If multi-keyword are entered, the keywords are used by “AND” operation. Keyword Search
forensicinsight.org Page 24 Conclusion
forensicinsight.org Page 25 Conclusion  Tracking NTFS’s history with $UsnJrnl • Creation, deletion, modification, renaming and moving of file and directory • It is possible to find trace of deleted file. • The event of program execution and opening document can be found through tracking prefetch file and LNK file’s history.  Collection of $UsnJrnl:$J • Encase or Winhex • ExtractUsnJrnl  $UsnJrnl record carving from unallocated space • There are mass $UsnJrnl records in unallocated space. • Tracking old file system history(before several months) through $UsnJrnl record carving
forensicinsight.org Page 26 Question and Answer

Recommended

(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
INSIGHT FORENSIC
 
(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery
INSIGHT FORENSIC
 
Exadata - BULK DATA LOAD Testing on Database Machine
Exadata - BULK DATA LOAD Testing on Database Machine Exadata - BULK DATA LOAD Testing on Database Machine
Exadata - BULK DATA LOAD Testing on Database Machine
Monowar Mukul
 
Advfs 3 in-memory structures
Advfs 3 in-memory structuresAdvfs 3 in-memory structures
Advfs 3 in-memory structures
Justin Goldberg
 
Undo internals paper
Undo internals paperUndo internals paper
Undo internals paper
oracle documents
 
Change DB Name
Change DB NameChange DB Name
Change DB NameAnar Godjaev
 
Undo internalspresentation
Undo internalspresentationUndo internalspresentation
Undo internalspresentation
oracle documents
 
Orcale dba training
Orcale dba trainingOrcale dba training
Orcale dba training
united global soft
 

Recommended

(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
INSIGHT FORENSIC
 
(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery
INSIGHT FORENSIC
 
Exadata - BULK DATA LOAD Testing on Database Machine
Exadata - BULK DATA LOAD Testing on Database Machine Exadata - BULK DATA LOAD Testing on Database Machine
Exadata - BULK DATA LOAD Testing on Database Machine
Monowar Mukul
 
Advfs 3 in-memory structures
Advfs 3 in-memory structuresAdvfs 3 in-memory structures
Advfs 3 in-memory structures
Justin Goldberg
 
Undo internals paper
Undo internals paperUndo internals paper
Undo internals paper
oracle documents
 
Change DB Name
Change DB NameChange DB Name
Change DB NameAnar Godjaev
 
Undo internalspresentation
Undo internalspresentationUndo internalspresentation
Undo internalspresentation
oracle documents
 
Orcale dba training
Orcale dba trainingOrcale dba training
Orcale dba training
united global soft
 
MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329
Douglas Duncan
 
Cassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUGCassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUG
Duyhai Doan
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2
PoguttuezhiniVP
 
Indexing with MongoDB
Indexing with MongoDBIndexing with MongoDB
Indexing with MongoDB
MongoDB
 
Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)MongoSF
 
บทท 8
บทท 8บทท 8
บทท 8J-Kitipat Vatinivijet
 
Writing A Foreign Data Wrapper
Writing A Foreign Data WrapperWriting A Foreign Data Wrapper
Writing A Foreign Data Wrapper
psoo1978
 
Postgresql Database Administration- Day3
Postgresql Database Administration- Day3Postgresql Database Administration- Day3
Postgresql Database Administration- Day3
PoguttuezhiniVP
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2rusersla
 
data loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.gurudata loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.guru
Ravikumar Nandigam
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
daumfoundation
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10
hungrok
 
(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii
INSIGHT FORENSIC
 
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
daumfoundation
 
Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?
Eric Sieverts
 
Java advancd ed10
Java advancd ed10Java advancd ed10
Java advancd ed10
hungrok
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
INSIGHT FORENSIC
 
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
daumfoundation
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
INSIGHT FORENSIC
 

More Related Content

What's hot

MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329
Douglas Duncan
 
Cassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUGCassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUG
Duyhai Doan
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2
PoguttuezhiniVP
 
Indexing with MongoDB
Indexing with MongoDBIndexing with MongoDB
Indexing with MongoDB
MongoDB
 
Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)MongoSF
 
Writing A Foreign Data Wrapper
Writing A Foreign Data WrapperWriting A Foreign Data Wrapper
Writing A Foreign Data Wrapper
psoo1978
 
Postgresql Database Administration- Day3
Postgresql Database Administration- Day3Postgresql Database Administration- Day3
Postgresql Database Administration- Day3
PoguttuezhiniVP
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2rusersla
 
data loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.gurudata loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.guru
Ravikumar Nandigam
 

What's hot (10)

MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329MongoDB and Indexes - MUG Denver - 20160329
MongoDB and Indexes - MUG Denver - 20160329
 
Cassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUGCassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUG
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2
 
Indexing with MongoDB
Indexing with MongoDBIndexing with MongoDB
Indexing with MongoDB
 
Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)
 
บทท 8
บทท 8บทท 8
บทท 8
 
Writing A Foreign Data Wrapper
Writing A Foreign Data WrapperWriting A Foreign Data Wrapper
Writing A Foreign Data Wrapper
 
Postgresql Database Administration- Day3
Postgresql Database Administration- Day3Postgresql Database Administration- Day3
Postgresql Database Administration- Day3
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2
 
data loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.gurudata loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.guru
 

Viewers also liked

(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
daumfoundation
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10
hungrok
 
(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii
INSIGHT FORENSIC
 
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
daumfoundation
 
Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?
Eric Sieverts
 
Java advancd ed10
Java advancd ed10Java advancd ed10
Java advancd ed10
hungrok
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
INSIGHT FORENSIC
 
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
daumfoundation
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
INSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
INSIGHT FORENSIC
 
Jsp convert to Servlet
Jsp convert to ServletJsp convert to Servlet
Jsp convert to Servlet
JU Chae
 
(Fios#03) 4. 파워셸 포렌식 조사 기법
(Fios#03) 4. 파워셸 포렌식 조사 기법(Fios#03) 4. 파워셸 포렌식 조사 기법
(Fios#03) 4. 파워셸 포렌식 조사 기법
INSIGHT FORENSIC
 
Java 강의자료 ed11
Java 강의자료 ed11Java 강의자료 ed11
Java 강의자료 ed11
hungrok
 
코딩에는 좋은 노트북이 필요 없다
코딩에는 좋은 노트북이 필요 없다코딩에는 좋은 노트북이 필요 없다
코딩에는 좋은 노트북이 필요 없다
Han Sung Kim
 
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
daumfoundation
 
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
daumfoundation
 

Viewers also liked (20)

(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호
 
IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10IT 일반기술 강의자료_ed10
IT 일반기술 강의자료_ed10
 
(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii(120616) #fitalk web browser forensics - part iii
(120616) #fitalk web browser forensics - part iii
 
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
비영리 사업에서 꼭 필요한 인터넷 도구 (유승철)
 
Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?Een digitale bibliotheek of alleen Google?
Een digitale bibliotheek of alleen Google?
 
Java advancd ed10
Java advancd ed10Java advancd ed10
Java advancd ed10
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
2013 꿈다락 토요문화학교 유스보이스 8경 잡지만들기 결과물 - Case
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
Jsp convert to Servlet
Jsp convert to ServletJsp convert to Servlet
Jsp convert to Servlet
 
(Fios#03) 4. 파워셸 포렌식 조사 기법
(Fios#03) 4. 파워셸 포렌식 조사 기법(Fios#03) 4. 파워셸 포렌식 조사 기법
(Fios#03) 4. 파워셸 포렌식 조사 기법
 
Java 강의자료 ed11
Java 강의자료 ed11Java 강의자료 ed11
Java 강의자료 ed11
 
코딩에는 좋은 노트북이 필요 없다
코딩에는 좋은 노트북이 필요 없다코딩에는 좋은 노트북이 필요 없다
코딩에는 좋은 노트북이 필요 없다
 
Server
ServerServer
Server
 
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
2013 꿈다락 토요문화학교 유스보이스 8경 캐릭터 설정 자료집
 
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
[거의 모든 인터넷의 역사, 그리고 미래 - 정지훈
 

Similar to (150124) #fitalk advanced $usn jrnl forensics (english)

(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery
INSIGHT FORENSIC
 
(130525) #fitalk ntfs log tracker (english)
(130525) #fitalk ntfs log tracker (english)(130525) #fitalk ntfs log tracker (english)
(130525) #fitalk ntfs log tracker (english)
INSIGHT FORENSIC
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
Adrian Huang
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
ssusere6dc9d
 
Oracle training-in-hyderabad
Oracle training-in-hyderabadOracle training-in-hyderabad
Oracle training-in-hyderabad
sreehari orienit
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
n|u - The Open Security Community
 
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
Kabul Kurniawan
 
Stellar file repair
Stellar file repairStellar file repair
Stellar file repairLaren
 
Internal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya JyothiInternal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya Jyothi
Sowmya Jyothi
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recovery
lissy taylor
 
Lecture-1-Windows-Artefacts.pdf
Lecture-1-Windows-Artefacts.pdfLecture-1-Windows-Artefacts.pdf
Lecture-1-Windows-Artefacts.pdf
ssuserfd0132
 
WoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific DataWoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific Data
University of Chicago
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 
009709863.pdf
009709863.pdf009709863.pdf
009709863.pdf
KalsoomTahir2
 
Stellar Phoenix Windows Data Recovery v7
Stellar Phoenix Windows Data Recovery v7Stellar Phoenix Windows Data Recovery v7
Stellar Phoenix Windows Data Recovery v7
Prannay Shahi
 

Similar to (150124) #fitalk advanced $usn jrnl forensics (english) (20)

(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery
 
(130525) #fitalk ntfs log tracker (english)
(130525) #fitalk ntfs log tracker (english)(130525) #fitalk ntfs log tracker (english)
(130525) #fitalk ntfs log tracker (english)
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
 
Oracle training-in-hyderabad
Oracle training-in-hyderabadOracle training-in-hyderabad
Oracle training-in-hyderabad
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
Cross-Platform File System Activity Monitoring and Forensics - A Semantic App...
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Stellar file repair
Stellar file repairStellar file repair
Stellar file repair
 
Internal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya JyothiInternal representation of file chapter 4 Sowmya Jyothi
Internal representation of file chapter 4 Sowmya Jyothi
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recovery
 
Lecture-1-Windows-Artefacts.pdf
Lecture-1-Windows-Artefacts.pdfLecture-1-Windows-Artefacts.pdf
Lecture-1-Windows-Artefacts.pdf
 
WoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific DataWoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific Data
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
009709863.pdf
009709863.pdf009709863.pdf
009709863.pdf
 
Stellar Phoenix Windows Data Recovery v7
Stellar Phoenix Windows Data Recovery v7Stellar Phoenix Windows Data Recovery v7
Stellar Phoenix Windows Data Recovery v7
 

More from INSIGHT FORENSIC

(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
INSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
INSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
INSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
INSIGHT FORENSIC
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
INSIGHT FORENSIC
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory
INSIGHT FORENSIC
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump
INSIGHT FORENSIC
 
(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox
INSIGHT FORENSIC
 
(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile
INSIGHT FORENSIC
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker
INSIGHT FORENSIC
 
(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story
INSIGHT FORENSIC
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation
INSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump
 
(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox(130928) #fitalk cloud storage forensics - dropbox
(130928) #fitalk cloud storage forensics - dropbox
 
(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile(130907) #fitalk generating volatility linux profile
(130907) #fitalk generating volatility linux profile
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker
 
(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story(130727) #fitalk pfp (portable forensic platform), #2 story
(130727) #fitalk pfp (portable forensic platform), #2 story
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation
 

Recently uploaded

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 

(150124) #fitalk advanced $usn jrnl forensics (english)

  • 1. FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA Advanced $UsnJrnl Forensics blueangel blueangel1275@gmail.com http://forensic-note.blogspot.kr/ Junghoon Oh
  • 2. forensicinsight.org Page 2 1. $UsnJrnl 2. $UsnJrnl Record Carving 3. NTFS Log Tracker v1.4 4. Conclusion
  • 4. forensicinsight.org Page 4 $UsnJrnl  This file is used to determine whether any change is occurred in a specific file by applications.  From Win7, Journal Function is activated by default • In case of deactivation setting(in Win XP), it is possible to activate through “Fsutil”. > fsutil usn [createjournal] m=<MaxSize> a=<AllocationDelta> <VolumePath> • For more information about “Fsutil” : http://technet.microsoft.com/en-us/library/cc788042.aspx  The file is composed of “$Max” attribute and “$J“ attribute • $Max : The meta data of change log is stored. • $J : The actual change log records are stored.  Each record has USN(Update Sequence Number) information.  The record order is determined with USN.  USN = the offset value of a record within $J attribute  USN information is also stored in then $STANDARD_INFORMATION attribute of a MFT record Journal(Change) Log File of NTFS
  • 5. forensicinsight.org Page 5 $UsnJrnl  Location • The file is located under “$Extend” folder.  The size of log data(generally…) • In case of full time use(24 hours/day), the log for 1~2 days are recorded. • In case of regular use(8 hours/day), the log for 4~5 days are recorded.  Forensic Readiness • changing log size bigger(more than 1 GB??)  Digital Forensic Profit • The investigator can confirm every NTFS’s events(creation, deletion, modification…) in specific period. Journal(Change) Log File of NTFS(continue…)
  • 6. forensicinsight.org Page 6 $UsnJrnl  The size of $Max attribute • 32 Bytes fixed size  The format of $Max attribute The Structure of $Max attribute Offset Size Stored Information Detail 0x00 8 Maximum Size The maximum size of log data 0x08 8 Allocation Size The size of allocated area when new log data is saved. 0x10 8 USN ID The creation time of "$UsnJrnl" file(FILETIME) 0x18 8 Lowest Valid USN The least value of USN in current records With this value, investigator can approach the start point of first record within "$J" attribute
  • 7. forensicinsight.org Page 7 $UsnJrnl  The log records of variable size are listed consecutively.  • The zero-filled "Sparse Area" occupies front part of an attribute. • The reason for this structure is because the operating system keeps the same size of the log data saved in the $J attribute. • The record allocation policy of $J attribute 1. The new log records are added at the end of the attribute. 2. If the total size of the added records exceeds "Allocation Size", the operation system assures that the size of the entire log data exceeds "Maximum Size". 3. If the size of the entire log data exceeds "Maximum Size", the front area of attribute is occupied by zero as much as size of "Allocation Size".(Actually, disk area is not filled by zero.) • Thus, the logical size of $J attribute grow continuously, but the size of area saving actual data is kept constant. • The general size of log data is 0x200000 ~ 0x23FFFFF The Structure of $J attribute
  • 8. forensicinsight.org Page 8 $UsnJrnl  After Logical area, there are valid data…  Extracting $J attribute by Encase 6(default “Logical File Only”) • There is no valid data which is located after logical area. The Structure of $J attribute(continue…)
  • 9. forensicinsight.org Page 9 $UsnJrnl  Encase • Extract $J attribute after selecting “Entire Physical File” option  Winhex • Default, this tool extracts file by Physical Size  ExtractUsnJrnl ( https://github.com/jschicht/ExtractUsnJrnl ) • This tool can extract only valid data except sparse area. Collection of $UsnJrnl
  • 10. forensicinsight.org Page 10 $UsnJrnl • The reason for using "Parent MFT Reference Number“ instead of "MFT Reference Number"  If "MFT Reference Number“ is used, full path information may not be obtained when relevant file is deleted. The format of record (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Offset Size Stored Information Detail 0x00 4 Size of Record 0x04 2 Major Version 2(Change Journal Software’s major version) 0x06 2 Minor Version 2(Change Journal Software’s major version) 0x08 8 MFT Reference Number "MFT Reference Number" of file or directory that effected by currently change event. 0x10 8 Parent MFT Reference Number "MFT Reference Number" of parent directory of file and directory that effected by currently change event. The full path information can be obtained with this information and $MFT. 0x18 8 USN Update Sequence Number 0x20 8 TimeStamp(FILETIME) Event Time(UTC +0) 0x28 4 Reason Flag The flag of change event 0x2C 4 Source Information The subject that triggers change of event 0x30 4 Security ID 0x34 4 File Attributes The attribute information of the object effected by current event. Generally, it is used for classifying the object into a file or directory. 0x38 2 Size of Filename The size of object name effected by current event 0x3A 2 Offset to Filename The offset of object name within record 0x3C N Filename The object(file or directory) name effected by current event
  • 11. forensicinsight.org Page 11 $UsnJrnl Reason Flag (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Flag Description 0x01 The file was overwritten. 0x02 The file or directory was added to 0x04 The file or directory was truncated. 0x10 The named data streams for a file is overwritten. 0x20 A named data streams for the file were added. 0x40 A named data streams for the file was truncated 0x100 The file or directory was created for the first time. 0x200 The file or directory was deleted. 0x400 The file's or directory's extended attributes were changed. 0x800 The access rights to the file or directory was changed. 0x1000 The file or directory was renamed.(previous name) 0x2000 The file or directory was renamed.(new name) 0x4000 A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. 0x8000 A user has either changed one or more file or directory attributes or one or more time stamps. 0x10000 A hard link was added to or removed from the file or directory 0x20000 The compression state of the file or directory was changed from or to compressed. 0x40000 The file or directory was encrypted or decrypted. 0x80000 The object identifier of the file or directory was changed. 0x100000 The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory. 0x200000 A named stream has been added to or removed from the file, or a named stream has been renamed. 0x80000000 The file or directory was closed.
  • 12. forensicinsight.org Page 12 $UsnJrnl Source Information (http://msdn.microsoft.com/en-us/library/aa365722.aspx) Flag Description 0x00 Normal Event 0x01 The operation provides information about a change to the file or directory made by the operating system 0x02 The operation adds a private data stream to a file or directory. 0x04 The operation creates or updates the contents of a replicated file.
  • 13. forensicinsight.org Page 13 $UsnJrnl File Attribute (http://msdn.microsoft.com/en-us/library/gg258117.aspx) Value Description 0x01 A file that is read-only. 0x02 The file or directory is hidden 0x04 A file or directory that the operating system uses a part of, or uses exclusively. 0x10 The handle that identifies a directory. 0x20 An archive file or directory. 0x40 This value is reserved for system use 0x80 A file that does not have other attributes set. 0x100 A file that is being used for temporary storage. 0x200 A file that is a sparse file. 0x400 A file or directory that has an associated reparse point, or a file that is a symbolic link. 0x800 A file or directory that is compressed. 0x1000 This attribute indicates that the file data is physically moved to offline storage. 0x2000 The file or directory is not to be indexed by the content indexing service. 0x4000 A file or directory that is encrypted. 0x8000 The directory or user data stream is configured with integrity (only supported on ReFS volumes). 0x10000 0 This value is reserved for system use. 0x20000 The user data stream not to be read by the background data integrity scanner (AKA scrubber).
  • 15. forensicinsight.org Page 15 $UsnJrnl Record Carving  The location of first $UsnJrnl record in disk : 172347352 sector  In a couple of hours…  the space which saves $Usnjrnl record is changed to unallocated space.  There are valid data in this area… $UsnJrnl records in Unallocated Area
  • 16. forensicinsight.org Page 16 $UsnJrnl Record Carving  Carving function of USN Record in X-way forensics(ToolDisk ToolFile Recovery by Type) • After record carving, the tool saves the records into many files. Existing Tool 1
  • 17. forensicinsight.org Page 17 $UsnJrnl Record Carving  FCNS_UsnJrnl EnScript • EnPack for Encase 7 • There is no full path information of file or directory. • L01, CSV output Existing Tool 2 17
  • 18. forensicinsight.org Page 18 $UsnJrnl Record Carving Record Carving Offset Size Stored Information Detail 0x00 4 Size of Record 0x04 2 Major Version 2(Change Journal Software’s major version) 0x06 2 Minor Version 2(Change Journal Software’s major version) 0x08 8 MFT Reference Number "MFT Reference Number" of file or directory that effected by currently change event. 0x10 8 Parent MFT Reference Number "MFT Reference Number" of parent directory of file and directory that effected by currently change event. The full path information can be obtained with this information and $MFT. 0x18 8 USN Update Sequence Number 0x20 8 TimeStamp(FILETIME) Event Time(UTC +0) 0x28 4 Reason Flag The flag of change event 0x2C 4 Source Information The subject that triggers change of event 0x30 4 Security ID 0x34 4 File Attributes The attribute information of the object effected by current event. Generally, it is used for classifying the object into a file or directory. 0x38 2 Size of Filename The size of object name effected by current event 0x3A 2 Offset to Filename The offset of object name within record 0x3C N Filename The object(file or directory) name effected by current event • Signature : x??x??x00x00x02x00x00x00 • Sub-checking Point : USN, TimeStamp, Source Information, Size/Offset of Filename
  • 19. forensicinsight.org Page 19 $UsnJrnl Record Carving  There are about 30,000,000 records in unallocated space. • There are some records before 10~11 months. • Generally, there are 300,000 records in $UsnJrnl:$J on average.  There are some records before formatting current system. The Result of Record Carving System The size of Unallocated Area The number of recovered records(De-Duplication) The period of recovered records A(Win7 64bit) 72G(HDD) 32,379,635 2014-02-10 ~ 2014-11-03 B(Win7 64bit) 120G(HDD) 36,650,278 2014-01-28 ~ 2014-11-10 C(Win7 64bit) 269G(HDD) 24,907,010 2014-01-28 ~ 2014-11-13 D(Win7 64bit) 120G(HDD) 22,310,563 2013-10-27 ~ 2014-12-23
  • 21. forensicinsight.org Page 21 NTFS Log Tracker v1.4 1. $UsnJrnl record carving from unallocated space • Carving result is printed out by page unit. (500,000 records by one page) • The full path information is printed out. (from $MFT) • Indexing page information( In case of more than 3 pages)  After ordering by USN, first and last record’s time information are recorded. 2. Supporting source file extracted by “ExtractUsnJrnl” tool 3. Changing interface of keyword search 4. Supporting Korean keyword search 5. Tab bug is fixed. Updated List ( https://sites.google.com/site/forensicnote/ntfs-log-tracker )
  • 22. forensicinsight.org Page 22 NTFS Log Tracker v1.4 User interface Source File for Parsing $MFT for Full Path Construction Opening DB file created by this tool Keyword Search Exporting CSV format Parsed Data Output
  • 23. forensicinsight.org Page 23 NTFS Log Tracker v1.4 • Target field of keyword search  $LogFile : LSN, Event Time, File Name, Full Path  $UsnJrnl : TimeStamp, USN, File Name, Full Path • Using LIKE operation of SQL • If multi-keyword are entered, the keywords are used by “AND” operation. Keyword Search
  • 25. forensicinsight.org Page 25 Conclusion  Tracking NTFS’s history with $UsnJrnl • Creation, deletion, modification, renaming and moving of file and directory • It is possible to find trace of deleted file. • The event of program execution and opening document can be found through tracking prefetch file and LNK file’s history.  Collection of $UsnJrnl:$J • Encase or Winhex • ExtractUsnJrnl  $UsnJrnl record carving from unallocated space • There are mass $UsnJrnl records in unallocated space. • Tracking old file system history(before several months) through $UsnJrnl record carving