# Finding Evidence of Deleted Files with USN Journal Analysis In the context of **Master File Table (MFT)** entries in NTFS file systems, **"in-use"** and **"not in-use"** are terms that describe the status of MFT records.
TermDescription
In-UseThe MFT entry is active and points to an existing file or directory.
The file/directory is currently present on the file system.
Not In-UseThe MFT entry is inactive and has been marked for reuse.
The file/directory has been deleted, but its metadata remains until the space is overwritten.
#### **How It Works** 1. **When a file is created**: * A new MFT entry is allocated and marked **in-use**. 2. **When a file is deleted**: * The MFT entry is marked as **not in-use**, but the metadata and file content may remain on disk until overwritten. 3. **Forensic Use**: * "Not in-use" entries allow forensic investigators to recover deleted files, extract timestamps, or analyze remnants of file metadata.
Let’s examine the details of the "SRU00078.log" file using its Entry Number. ```bash MFTECmd.exe -f C:\Cases\E\$MFT --de 176972 ```
The **`IsFree`** flag means this MFT entry is **not in use**. The file associated with this entry has been deleted, and the MFT entry is available for reuse. **Resident**: `False` * The file data is stored **outside** the MFT entry, meaning it's non-resident data. **DataRuns Entries**: Specifies the physical cluster location on disk: * `0x9E2F5`: Starting cluster. * `0x10`: The number of clusters allocated (16 clusters × 4 KB = 64 KB). ## Analyzing the USN Journal for deleted files Q) When was the file "deleteme\_T1551.004" created and deleted ? The **USN Journal (Update Sequence Number Journal)** is a valuable artifact in forensic investigations for tracking changes to files and directories on an NTFS volume. It records metadata changes, including file creations, modifications, renames, and deletions. **$Extend\\$UsnJrnl:** Tracks file and directory changes on an NTFS volume. * **$Max:** Contains metadata about the USN Journal configuration. * **$J:** Contains records of filesystem operations. We can see the two files in our Cases folder.
Now, let's parse the $J file. ```bash MFTECmd.exe -f C:\Cases\E\$Extend\$J -m C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS ```
* $MFT file to use when -f points to a $J file
Let's open "**MFTECmd\_$J\_Output.csv"** using Timeline Explorer and search for "deleteme\_T1551.004" file.
Let's scroll to the right.
The Update Timestamps are visible by scrolling to the left.
* **File Create:** 2024-12-12 08:08:58 * **File Deleted:** 2024-12-12 08:08:59 Q) What was the Entry Number for "deleteme\_T1551.004" and does it still exist in the MFT ? We already know its Entry Number.
```bash MFTECmd.exe -f C:\Cases\E\$MFT --de 1987 ```
The space in the MFT that was previously occupied by the `deleteme_T1551.004` file have been reused or overwritten by another file, in this case, `WuProvider...etl`. This could happen if the original file was deleted or its entry was recycled after being deleted or modified. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/practical-windows-forensics/finding-evidence-of-deleted-files-with-usn-journal-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.