Finding Evidence of Deleted Files with USN Journal Analysis

In the context of Master File Table (MFT) entries in NTFS file systems, "in-use" and "not in-use" are terms that describe the status of MFT records.

Term
Description

In-Use

The MFT entry is active and points to an existing file or directory.

The file/directory is currently present on the file system.

Not In-Use

The MFT entry is inactive and has been marked for reuse.

The file/directory has been deleted, but its metadata remains until the space is overwritten.

How It Works

  1. When a file is created:

    • A new MFT entry is allocated and marked in-use.

  2. When a file is deleted:

    • The MFT entry is marked as not in-use, but the metadata and file content may remain on disk until overwritten.

  3. Forensic Use:

    • "Not in-use" entries allow forensic investigators to recover deleted files, extract timestamps, or analyze remnants of file metadata.

Let’s examine the details of the "SRU00078.log" file using its Entry Number.

MFTECmd.exe -f C:\Cases\E\$MFT --de 176972

The IsFree flag means this MFT entry is not in use. The file associated with this entry has been deleted, and the MFT entry is available for reuse.

Resident: False

  • The file data is stored outside the MFT entry, meaning it's non-resident data.

DataRuns Entries: Specifies the physical cluster location on disk:

  • 0x9E2F5: Starting cluster.

  • 0x10: The number of clusters allocated (16 clusters × 4 KB = 64 KB).

Analyzing the USN Journal for deleted files

Q) When was the file "deleteme_T1551.004" created and deleted ?

The USN Journal (Update Sequence Number Journal) is a valuable artifact in forensic investigations for tracking changes to files and directories on an NTFS volume. It records metadata changes, including file creations, modifications, renames, and deletions.

$Extend\$UsnJrnl: Tracks file and directory changes on an NTFS volume.

  • $Max: Contains metadata about the USN Journal configuration.

  • $J: Contains records of filesystem operations.

We can see the two files in our Cases folder.

Now, let's parse the $J file.

MFTECmd.exe -f C:\Cases\E\$Extend\$J -m C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS

  • $MFT file to use when -f points to a $J file

Let's open "MFTECmd_$J_Output.csv" using Timeline Explorer and search for "deleteme_T1551.004" file.

Let's scroll to the right.

The Update Timestamps are visible by scrolling to the left.

  • File Create: 2024-12-12 08:08:58

  • File Deleted: 2024-12-12 08:08:59

Q) What was the Entry Number for "deleteme_T1551.004" and does it still exist in the MFT ?

We already know its Entry Number.

MFTECmd.exe -f C:\Cases\E\$MFT --de 1987

The space in the MFT that was previously occupied by the deleteme_T1551.004 file have been reused or overwritten by another file, in this case, WuProvider...etl. This could happen if the original file was deleted or its entry was recycled after being deleted or modified.

PreviousOverview of disk structures, partitions and file systemsNextAnalyzing Evidence of Program Execution

Last updated