usnjrnl parsing for file system history
play

UsnJrnl Parsing for File System History Students: Fox-IT: Jeroen - PowerPoint PPT Presentation

Sep 01, 2022 •112 likes •370 views

UsnJrnl Parsing for File System History Students: Fox-IT: Jeroen van Prooijen Yonne de Bruijn Frank Uijtewaal Research question How can the artefacts found in the UsnJrnl be efgectively used in forensic research? 2 UsnJrnl? Uses

  1. UsnJrnl Parsing for File System History Students: Fox-IT: ● Jeroen van Prooijen ● Yonne de Bruijn ● Frank Uijtewaal

  2. Research question How can the artefacts found in the UsnJrnl be efgectively used in forensic research? 2

  3. UsnJrnl? Uses Windows NTFS Contains metadata files like UsnJrnl = Update sequence number Journal 3

  4. Why research the UsnJrnl? Relatively young: since Windows Vista Often contains lots of historic data Can be linked to other artefacts 4

  5. The three fjles of interest NTFS MFT LogFile UsnJrnl 5

  6. Context: efgect of creating a fjle Creates File Alice Transaction: USN record: MFT entry: LSN records FILE_CREATE inum Transaction: USN record: sequence value LSN records FILE_CREATE|CLOSE MFT LogFile UsnJrnl 6

  7. How do they come together? UsnJrnl ? LogFile MFT 7

  8. Model 8

  9. MFT - overview Master File T able Keeps track of all fjles on NTFS Only stores information on non-deleted fjles 9

  10. MFT - structure No header Consists of lots of MFT entries MFT entries describe fjles/directories A set of default entries: 0: $MFT 1: $MFTMirr 2: $Logfjle etc 10

  11. MFT entry - structure inum Attributes: – Standard Information – File Name 11

  12. 0000000: 4649 4c45 3000 0300 0191 1000 0000 0000 FILE0........... 0000010: 0300 0100 3800 0000 8001 0000 0004 0000 ....8........... 0000020: 0000 0000 0000 0000 0500 0000 2900 0000 ............)... 0000030: 0500 0000 0000 0000 1000 0000 6000 0000 ............`... 0000040: 0000 0000 0000 0000 4800 0000 1800 0000 ........H....... 0000050: 6c56 68f4 db5a d101 55e9 4d0f dc5a d101 lVh..Z..U.M..Z.. 0000060: 55e9 4d0f dc5a d101 6c56 68f4 db5a d101 U.M..Z..lVh..Z.. 0000070: 2000 0000 0000 0000 0000 0000 0000 0000 ............... 0000080: 0000 0000 0701 0000 0000 0000 0000 0000 ................ 0000090: 8812 0000 0000 0000 3000 0000 7800 0000 ........0...x... 00000a0: 0000 0000 0000 0300 5a00 0000 1800 0100 ........Z....... 00000b0: 0500 0000 0000 0500 6c56 68f4 db5a d101 ........lVh..Z.. 00000c0: 6c56 68f4 db5a d101 6c56 68f4 db5a d101 lVh..Z..lVh..Z.. 00000d0: 6c56 68f4 db5a d101 0000 0000 0000 0000 lVh..Z.......... 00000e0: 0000 0000 0000 0000 2000 0000 0000 0000 ........ ....... 00000f0: 0c00 7000 6100 7300 7300 7700 6f00 7200 ..p.a.s.s.w.o.r. 0000100: 6400 2e00 7400 7800 7400 0000 0000 0000 d...t.x.t....... 0000110: 4000 0000 2800 0000 0000 0000 0000 0400 @...(........... 0000120: 1000 0000 1800 0000 b71e 1f72 cec6 e511 ...........r.... 0000130: 8dac 0800 2778 1e34 8000 0000 4000 0000 ....'x.4....@... 0000140: 0000 1800 0000 0100 2200 0000 1800 0000 ........"....... 0000150: 5061 7373 776f 7264 3a43 6f72 7265 6374 Password:Correct 0000160: 486f 7273 6542 6174 7465 7279 5374 6170 HorseBatteryStap 0000170: 6c65 0000 0000 0000 ffff ffff 8279 4711 le...........yG. 0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 12

  13. LogFile - overview Meant to guarantee fjle system recovery in case of a system failure Contains lots of detailed historic data Circular 13

  14. LogFile - structure The logfjle consists of record pages Every page has the following header structure Pages contain so-called “LSN records” 14

  15. LogFile LSN record structure Contains redo and undo data Says something about a single change 15

  16. LogFile LSN transactions ● LSN records are part of a transaction ● A transaction is an atomic unit 16

  17. UsnJrnl - overview Also called the “change journal” Very concisely states what changed Goes relatively far back in time Timestamps 17

  18. UsnJrnl - structure No header Consists of lots of USN records Oldest clusters may be deallocated 18

  19. USN record - structure fjle reference number contains: MFT entry number MFT sequence value 19

  20. Model 20

  21. Conclusion: Forensic value ● UsnJrnl usually goes further back in time ● UsnJrnl is more reliably parsed ● Enables timelining LogFile transactions ● Easier to fjnd transactions by fjlename ● Easier to fjnd what fjles were deleted 21

  22. Proof of concept – test case 22

  23. Proof of concept – result 1/3 ##################################################################################### # Current MFT information ############# ##################################################################################### MFT entry number: 41 Sequence value : 3 Currently in use: False -> Historic data in MFT entry, easy to extract File name : password.txt SUMMARY: ╔═════╦═════════════════════════════════════════════════════════════════════════════╗ ║ seq ║ USN record list ║ ╠═════╬═════════════════════════════════════════════════════════════════════════════╣ ║ 1 ║ [3064, 3168, 3272, 3376, 3456, 3536, 3616, 3696, 3776, 3856] ║ ║ 2 ║ [3936, 4096, 4200, 4304, 4392, 4480, 4568, 4656, 4744, 4832] ║ ╚═════╩═════════════════════════════════════════════════════════════════════════════╝ 23

  24. Proof of concept – result 2/3 ===================================================================================== MFT entry 41; Sequence 2 ===================================================================================== USN : 3936 File name: New Text Document.txt Timestamp: 2016-01-29 21:28:11.527128 Reason : FILE_CREATE ╔═══════════════════════════════════════════════════════════════════════════════╗ ║ $LogFile transaction number: 104 ║ ╠══════════╦═════════════════════════════════╦══════════════════════════════════╣ ║ LSN ║ Redo operation ║ Undo operation ║ ╠══════════╬═════════════════════════════════╬══════════════════════════════════╣ ║ 1083171 ║ Set Bits in Nonresident Bitmap ║ Clear Bits in Nonresident Bitmap ║ ║ 1083183 ║ No-Operation ║ Deallocate File Record Segment ║ ║ 1083195 ║ Add Index Entry Allocation ║ Delete Index Entry Allocation ║ ║ 1083222 ║ Initialize File Record Segment ║ No-Operation ║ ║ 1083273 ║ Set New Attribute Sizes ║ Set New Attribute Sizes ║ ║ 1083292 ║ Update Nonresident Value ║ No-Operation ║ ║ 1083316 ║ Set New Attribute Sizes ║ Set New Attribute Sizes ║ ║ 1083335 ║ Forget Transaction ║ Compensation Log Record ║ ╚══════════╩═════════════════════════════════╩══════════════════════════════════╝ 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting more than one file system type on

546 views • 35 slides
Virtual File System Don Porter CSE 506 History Early OSes provided a single file system

Virtual File System Don Porter CSE 506 History Early OSes provided a single file system

Virtual File System Don Porter CSE 506 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting more than one file

670 views • 37 slides
Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Outline Previously (and Chap 1 & 2 from text) Covered Brief UNIX history/interface UNIX overview - process, shell, file Brief intro to basic file I/O - open(), close(), read(), write(), lseek(), fprintf (library call) Unix System

262 views • 4 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided

Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided

Spring 2017 :: CSE 506 Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided a single file system In general, system was tailored to target hardware People became interested in supporting more

652 views • 40 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
ECE532 Design Project Photoshop Functionalities on FPGA Pearl Liu George Ng Initial Goals

ECE532 Design Project Photoshop Functionalities on FPGA Pearl Liu George Ng Initial Goals

ECE532 Design Project Photoshop Functionalities on FPGA Pearl Liu George Ng Initial Goals Implementation Photoshop filters in real-time on FPGA Real time image capture, filtering, and display Xilinx Multimedia Board Final Design VGA VGA

716 views • 8 slides
S9884 USER EXPERIENCE IS KEY TO VDI SUCCESS, COLOR ACCURACY IS THE KEY TO USER EXPERIENCE Nachiket

S9884 USER EXPERIENCE IS KEY TO VDI SUCCESS, COLOR ACCURACY IS THE KEY TO USER EXPERIENCE Nachiket

S9884 USER EXPERIENCE IS KEY TO VDI SUCCESS, COLOR ACCURACY IS THE KEY TO USER EXPERIENCE Nachiket Karmakar Sr. Performance Engineer - NVIDIA SESSION TARGET Why is it key to choose the right protocol to get the best user experience CITRIX

334 views • 29 slides
C HIEN C HEN , C HIA -J EN H SU AND C HI -C HIA H UANG Department of Computer Science National

C HIEN C HEN , C HIA -J EN H SU AND C HI -C HIA H UANG Department of Computer Science National

J OURNAL OF I NFORMATION S CIENCE AND E NGINEERING 24, 61-81 (2008) Fast Packet Classification Using Bit Compression with Fast Boolean Expansion * C HIEN C HEN , C HIA -J EN H SU AND C HI -C HIA H UANG Department of Computer Science National

353 views • 21 slides
SEnC - A Sequential Enif Client Heinz Spiess, EMME/2 Support Center, Aegerten, Switzerland

SEnC - A Sequential Enif Client Heinz Spiess, EMME/2 Support Center, Aegerten, Switzerland

12th European EMME/2 Conference Basel, Switzerland - May 22-23, 2003 SEnC - A Sequential Enif Client Heinz Spiess, EMME/2 Support Center, Aegerten, Switzerland EMME/2: Macro command language ---> sequential macros sequential dialogs is

431 views • 24 slides
DVB Subtitling Systems EN300 743 Peter Cherriman (BBC) DVBs ETSI EN 300 743 Bitmap based

DVB Subtitling Systems EN300 743 Peter Cherriman (BBC) DVBs ETSI EN 300 743 Bitmap based

DVB Subtitling Systems EN300 743 Peter Cherriman (BBC) DVBs ETSI EN 300 743 Bitmap based subtitle standard for broadcast television Widely used in Europe and Asia Maintained by TM-SUB group in DVB Initial version 1997

245 views • 5 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
Generation of Documentation using ASIS Generation of Documentation using ASIS Tools Tools S.V.

Generation of Documentation using ASIS Generation of Documentation using ASIS Tools Tools S.V.

Generation of Documentation using ASIS Generation of Documentation using ASIS Tools Tools S.V. Hovater S.V. Hovater Overview Overview Inception Inception Why do this? Why do this? Elaboration Elaboration

346 views • 9 slides
The Chem Access project From Bitmap Graphics to Fully Accessible Chemical Diagrams Volker Sorge

The Chem Access project From Bitmap Graphics to Fully Accessible Chemical Diagrams Volker Sorge

The Chem Access project From Bitmap Graphics to Fully Accessible Chemical Diagrams Volker Sorge Scientific Document Analysis Group Progressive Accessibility Solutions School of Computer Science Birmingham, UK University of Birmingham

171 views • 13 slides

More recommend