UsnJrnl To The Rescue

You may have never heard of it, but the Update Sequence Number Journal ($UsnJrnl) is your best friend when it comes to file system artifacts on a recently imaged system. This means that if there has been an incident and the system was imaged a few days after said incident, the UsnJrnl file, located "%SYSTEMDRIVE%\Extend\$UsnJrnl", will likely contain high-level file changes to that particular system's volume. These high-level changes of the UsnJrnl will contain entries for:

• File Metadata changes
• File Creations
• File Deletions
• File Overwrites
  
  

It's important to note that the UsnJrnl is a rather large file (I've seen upwards of 10GBs) even still, it will roll over frequently, meaning the data retained may be only for a short amount of time, depending on the activity on that system.

To parse the UsnJrnl, extract it with EnCase, FTK or your favorite forensic tool and run it against Joakim Schicht's "UsnJrnl2Csv" program. It is by far the simplest utility I've used for UsnJrnl parsing. It also has options to tweak your output timestamps, which is very convenient when making those timelines. You can get it here:

https://code.google.com/p/mft2csv/downloads/detail?name=UsnJrnl2Csv_v1.0.0.2.zip&can=2&q=





Time for a war story. A recent case I worked involved a system that was imaged approximately one week after the initial attacker activity. There were not many artifacts in the MFT or Registry since the attacker deleted any reconnaissance files, non-persistent malware, and finally cleared the system's event logs. The #winning moment however came when I parsed the UsnJrnl and it still had activity from when the attacker initially gained access to the system. From a file system perspective, this allowed me to see what was created/deleted/modified and when. It's not the full smoking gun since I was not able to carve and full recover the files of interest, however, the UsnJrnl gave me and my client a more complete picture of what happened.