What is "USN Journal"? It is "Update Sequence Number Journal". It records changes in the NTFS volume. The scenario is about Bomb threat. I use X-Ways Forensics to parse USN Journal and the screenshot below is the parsing result. You could see the column name - "Timestamp","Change type","File ID","Attribue" and "Filename".

Where is USN Journal? That's it. A strange file whose name is $USNJml:$J. What is $J? It is so called ADS(Alternate Data Stream). Usually ADS will contain metadata of that file.

Let's take the first reocrd in the screenshot for examplie. The file "炸彈製作.lnk" created means suspect did double click the folder "炸彈製作" and the timestamp was 2013/12/16 21:50:41. The other records also had something to do with "Bomb" at 2013/12/16 21:50. So we could know that suspect did access those folders and files that time, and no doubt those files and folders did exist at that time. Look into USN parsing result and we could get  a whole picture of "Timeline".

Windows USN Journal Parsing的更多相关文章

  1. 仿照everything写的一个超级速查 原创

    http://files.cnblogs.com/files/jacd/%E8%B6%85%E9%80%9F%E6%9F%A5%E6%96%87%E4%BB%B6.zip 速度奇快无比,体积奇小无比, ...

  2. NTFS文件系统的UsnJrnl对于FileReference的处理

    1. 背景 http://stackoverflow.com/q/20418694/941650 这里面临的一个核心问题是,如果MFT Reference相等,能够表明这些记录代表的是同一个文件吗? ...

  3. 第三章 传奇的开始--Delphi(附读书笔记)

    第三章 传奇的开始--Delphi "是惊世之作的Delphi让Borland重新站了起来,没有当初的Delphi,就没有今日的Borland!" "是Turbo Pas ...

  4. Child Process

    Child Process child_process 这个模块可以生成一个子进程.nodejs提供了好几个API,本质上都是调用child_process.spawn(): const spawn ...

  5. 在C#中快速查询文件

    相信使用过Everything的人都对其超快的搜索速度印象非常深刻,它的主要原理是通过扫描NTFS磁盘的USN Journal读取的文件列表,而不是磁盘目录,由于USN Journal非常小,因此能实 ...

  6. Console Event Handling

    http://www.codeproject.com/Articles/2357/Console-Event-Handling Console Event Handling Kumar Gaurav ...

  7. 为python脚本增加命令行参数

    from argparse import ArgumentParser p = ArgumentParser() p.add_argument('-b', '--body', help='Return ...

  8. Windows下 Robhess SIFT源码配置

    Robhess OpenSIFT 源码下载:传送门 为了进一步学习SIFT,选择论文就着代码看,在VS2013.OpenCV2.4.13下新建项目,跑一跑经典之作.由于将代码和Opencv配置好后还会 ...

  9. Windows Error Codes

    http://www.briandunning.com/error-codes/?source=Windows Windows Error Codes List All Error Codes | S ...

随机推荐

  1. centos7编译安装nginx1.8

    安装pcre wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.gz tar -zxvf pcre-8. ...

  2. Android 2.3 NFC简介

    Android 2.3加入了NFC(近场通讯)的支持.官网developer.android.com的英文介绍如下:Near Field Communications (NFC)Android 2.3 ...

  3. c#内置颜色大全

  4. gomoblie flappy 源码分析:游戏逻辑

    本文主要讨论游戏规则逻辑,具体绘制技术请参看相关文章: gomoblie flappy 源码分析:图片素材和大小的处理 http://www.cnblogs.com/ghj1976/p/5222289 ...

  5. [HDU 5090] Game with Pearls (贪心)

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=5090 题目大意:给你n个数,问你给若干个数增加c*k(c>=0)能否组成1,2,3,4,5,.. ...

  6. hive数据文件简单合并

    MR代码: package merge; import java.io.IOException; import java.util.Iterator; import org.apache.hadoop ...

  7. Log4j等级测试

    一.结论: 1./**debug.info.warn.error.fatal由低到高*/ 2.注意:log.error(message,e)不会打印异常堆栈信息. 二.测试过程 1.代码 packag ...

  8. css选择器nth-child()和nth-of-type()的应用

    <style> .table-striped tbody > tr:nth-child(odd) > td, .table-striped tbody > tr:nth- ...

  9. jdk线程的简单使用

    一.线程的实现方式方式一:继承Thread类一个类只要继承了Thread类,并重写run()方法,则就可以实现多线程的操作. public class ThreadDemo01 { public st ...

  10. Redis附加功能之Redis流水线pipeline

    流水线功能的目的:通过减少客户端与服务器之间的通信次数来提高程序的执行效率. 一.通信 在一般情况下, 用户每执行一个 Redis 命令,客户端与服务器都需要进行一次通信:客户端会将命令请求发送给服务 ...