# Finding Evidence of Deleted Files with USN Journal Analysis In the context of **Master File Table (MFT)** entries in NTFS file systems, **"in-use"** and **"not in-use"** are terms that describe the status of MFT records.
TermDescription
In-UseThe MFT entry is active and points to an existing file or directory.
The file/directory is currently present on the file system.
Not In-UseThe MFT entry is inactive and has been marked for reuse.
The file/directory has been deleted, but its metadata remains until the space is overwritten.
#### **How It Works** 1. **When a file is created**: * A new MFT entry is allocated and marked **in-use**. 2. **When a file is deleted**: * The MFT entry is marked as **not in-use**, but the metadata and file content may remain on disk until overwritten. 3. **Forensic Use**: * "Not in-use" entries allow forensic investigators to recover deleted files, extract timestamps, or analyze remnants of file metadata.
Let’s examine the details of the "SRU00078.log" file using its Entry Number. ```bash MFTECmd.exe -f C:\Cases\E\$MFT --de 176972 ```
The **`IsFree`** flag means this MFT entry is **not in use**. The file associated with this entry has been deleted, and the MFT entry is available for reuse. **Resident**: `False` * The file data is stored **outside** the MFT entry, meaning it's non-resident data. **DataRuns Entries**: Specifies the physical cluster location on disk: * `0x9E2F5`: Starting cluster. * `0x10`: The number of clusters allocated (16 clusters × 4 KB = 64 KB). ## Analyzing the USN Journal for deleted files Q) When was the file "deleteme\_T1551.004" created and deleted ? The **USN Journal (Update Sequence Number Journal)** is a valuable artifact in forensic investigations for tracking changes to files and directories on an NTFS volume. It records metadata changes, including file creations, modifications, renames, and deletions. **$Extend\\$UsnJrnl:** Tracks file and directory changes on an NTFS volume. * **$Max:** Contains metadata about the USN Journal configuration. * **$J:** Contains records of filesystem operations. We can see the two files in our Cases folder.
Now, let's parse the $J file. ```bash MFTECmd.exe -f C:\Cases\E\$Extend\$J -m C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS ```
* $MFT file to use when -f points to a $J file
Let's open "**MFTECmd\_$J\_Output.csv"** using Timeline Explorer and search for "deleteme\_T1551.004" file.
Let's scroll to the right.
The Update Timestamps are visible by scrolling to the left.
* **File Create:** 2024-12-12 08:08:58 * **File Deleted:** 2024-12-12 08:08:59 Q) What was the Entry Number for "deleteme\_T1551.004" and does it still exist in the MFT ? We already know its Entry Number.
```bash MFTECmd.exe -f C:\Cases\E\$MFT --de 1987 ```
The space in the MFT that was previously occupied by the `deleteme_T1551.004` file have been reused or overwritten by another file, in this case, `WuProvider...etl`. This could happen if the original file was deleted or its entry was recycled after being deleted or modified.