Monday, September 1, 2008

EnScript to parse USNJRNL

* UPDATED (11/29/08) - v1.1 - Improved parsing of large USNJRNL files
* UPDATED (03/17/10) - v1.2 -  Added export to CSV functionality

The USNJRNL is a file system transaction log and it is located in the $EXTEND folder of a NTFS volume. This file system feature is available in Windows XP and greater but is disabled in XP by default. In Vista this feature is enabled by default.

The file system journals changes to files into this log, even if the data itself in the file is not changed, but rather changes to the metadata to the specific file.

The USNJRNL consists of one main file and two alternate data streams. The structure of the data in the USNJRNL•$J (as displayed in EnCase) file is pretty straight forward and is detailed below:

Offset(in hex) Size Description
0x00 4 Size of entry
0x04 2 Major Version
0x06 2 Minor Version
0x08 8 MFT Reference
0x10 8 Parent MFT Reference
0x18 8 Offset of this entry in $J
0x20 8 Timestamp
0x28 4 Reason (see table below)
0x2B 4 SourceInfo (see table below)
0x30 4 SecurityID
0x34 4 FileAttributes
0x38 2 Size of filename (in bytes)
0x3A 2 Offset to filename
0x3C V Filename
V+0x3C P Padding (align to 8 bytes)

The following EnScript parses the USNJRNL•$J file and displays the filename, timestamp and reason code to the console tab of EnCase and to a CSV file in the default export folder.

A definition of the reason codes are as follows:

Flag Description
0x01 Data in one or more named data streams for the file was overwritten.
0x02 The file or directory was added to.
0x04 The file or directory was truncated.
0x10 Data in one or more named data streams for the file was overwritten.
0x20 One or more named data streams for the file were added to.
0x40 One or more named data streams for the file was truncated.
0x100 The file or directory was created for the first time.
0x200 The file or directory was deleted.
0x400 The user made a change to the file's or directory's extended attributes. These NTFS attributes are not accessible to Windows-based applications.
0x800 A change was made in the access rights to the file or directory.
0x1000 The file or directory was renamed, and the file name in this structure is the previous name.
0x2000 The file or directory was renamed, and the file name in this structure is the new name.
0x4000 A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user changed the file or directory from one that can be content indexed to one that cannot, or vice versa.
0x8000 A user has either changed one or more file or directory attributes or one or more time stamps.
0x10000 An NTFS hard link was added to or removed from the file or directory
0x20000 The compression state of the file or directory was changed from or to compressed.
0x40000 The file or directory was encrypted or decrypted.
0x80000 The object identifier of the file or directory was changed.
0x100000 The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory.
0x200000 A named stream has been added to or removed from the file, or a named stream has been renamed.
0x80000000 The file or directory was closed.

(http://msdn.microsoft.com/en-us/library/aa365722(VS.85).aspx)

Download Here v1.0
Download Here v1.1
Download Here v1.2

8 comments:

Anonymous Tuesday, 02 September, 2008  

Dang! I was looking for those structures myself for a long time and put serious work into it and NOW THEY POST THE DATA!!!!!!!

Phil Rodokanakis Tuesday, 16 March, 2010  

Lance:

I know this is a rather dated post, so I don't know if you're still monitoring it. But I recently came across the need for examining the USNJRNL file and used your EnScript to parse it--thank you very much for making this available by the way.

I was wondering, however, if it's possible to output the parsed text in a delimited format. Having the output in delimited format would allow one to open in a spreadsheet and sort by date, Reason code, etc. That would be very helpful, I would think.

Anyway, thanks again for making this available.

Best regards, Phil

Lance Mueller Wednesday, 17 March, 2010  

Output to CSV functionality added 03/17/10, v1.2

Phil Rodokanakis Wednesday, 17 March, 2010  

Lance:

I saw your post on the Win4n6 group. Thanks for doing this. I sincerely appreciate it.

Best regards, Phil

DC1743 Wednesday, 07 July, 2010  

Lance,
Is there a way to parse fragments of the USNJRNL from unallocated clusters?

Regards Richard

Markus Sunday, 24 October, 2010  

Hi all,

I can also discover a normal executable which parses also the USNJRNL File and dumps its contents to a log (for those who don't own EnCase)

Just post into this comments if you guys want a copy :-)

kind regards

Markus

Anonymous Wednesday, 24 April, 2013  

I'm seeing lots of reason codes '0x800020000' or '0x102' but the definition codes do not have these listed specifically. Am i to infer that there may be more than 1 reasons for the change log? For instance, does 0x102 mean that the file was created (100) and modified (02)?

Lance Mueller Wednesday, 24 April, 2013  

yes, there can be multiple codes added together.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles