usnjrnl parsing for file system history
play

UsnJrnl Parsing for File System History Students: Fox-IT: Jeroen - PowerPoint PPT Presentation

Sep 01, 2022 •112 likes •370 views

UsnJrnl Parsing for File System History Students: Fox-IT: Jeroen van Prooijen Yonne de Bruijn Frank Uijtewaal Research question How can the artefacts found in the UsnJrnl be efgectively used in forensic research? 2 UsnJrnl? Uses

  1. UsnJrnl Parsing for File System History Students: Fox-IT: ● Jeroen van Prooijen ● Yonne de Bruijn ● Frank Uijtewaal

  2. Research question How can the artefacts found in the UsnJrnl be efgectively used in forensic research? 2

  3. UsnJrnl? Uses Windows NTFS Contains metadata files like UsnJrnl = Update sequence number Journal 3

  4. Why research the UsnJrnl? Relatively young: since Windows Vista Often contains lots of historic data Can be linked to other artefacts 4

  5. The three fjles of interest NTFS MFT LogFile UsnJrnl 5

  6. Context: efgect of creating a fjle Creates File Alice Transaction: USN record: MFT entry: LSN records FILE_CREATE inum Transaction: USN record: sequence value LSN records FILE_CREATE|CLOSE MFT LogFile UsnJrnl 6

  7. How do they come together? UsnJrnl ? LogFile MFT 7

  8. Model 8

  9. MFT - overview Master File T able Keeps track of all fjles on NTFS Only stores information on non-deleted fjles 9

  10. MFT - structure No header Consists of lots of MFT entries MFT entries describe fjles/directories A set of default entries: 0: $MFT 1: $MFTMirr 2: $Logfjle etc 10

  11. MFT entry - structure inum Attributes: – Standard Information – File Name 11

  12. 0000000: 4649 4c45 3000 0300 0191 1000 0000 0000 FILE0........... 0000010: 0300 0100 3800 0000 8001 0000 0004 0000 ....8........... 0000020: 0000 0000 0000 0000 0500 0000 2900 0000 ............)... 0000030: 0500 0000 0000 0000 1000 0000 6000 0000 ............`... 0000040: 0000 0000 0000 0000 4800 0000 1800 0000 ........H....... 0000050: 6c56 68f4 db5a d101 55e9 4d0f dc5a d101 lVh..Z..U.M..Z.. 0000060: 55e9 4d0f dc5a d101 6c56 68f4 db5a d101 U.M..Z..lVh..Z.. 0000070: 2000 0000 0000 0000 0000 0000 0000 0000 ............... 0000080: 0000 0000 0701 0000 0000 0000 0000 0000 ................ 0000090: 8812 0000 0000 0000 3000 0000 7800 0000 ........0...x... 00000a0: 0000 0000 0000 0300 5a00 0000 1800 0100 ........Z....... 00000b0: 0500 0000 0000 0500 6c56 68f4 db5a d101 ........lVh..Z.. 00000c0: 6c56 68f4 db5a d101 6c56 68f4 db5a d101 lVh..Z..lVh..Z.. 00000d0: 6c56 68f4 db5a d101 0000 0000 0000 0000 lVh..Z.......... 00000e0: 0000 0000 0000 0000 2000 0000 0000 0000 ........ ....... 00000f0: 0c00 7000 6100 7300 7300 7700 6f00 7200 ..p.a.s.s.w.o.r. 0000100: 6400 2e00 7400 7800 7400 0000 0000 0000 d...t.x.t....... 0000110: 4000 0000 2800 0000 0000 0000 0000 0400 @...(........... 0000120: 1000 0000 1800 0000 b71e 1f72 cec6 e511 ...........r.... 0000130: 8dac 0800 2778 1e34 8000 0000 4000 0000 ....'x.4....@... 0000140: 0000 1800 0000 0100 2200 0000 1800 0000 ........"....... 0000150: 5061 7373 776f 7264 3a43 6f72 7265 6374 Password:Correct 0000160: 486f 7273 6542 6174 7465 7279 5374 6170 HorseBatteryStap 0000170: 6c65 0000 0000 0000 ffff ffff 8279 4711 le...........yG. 0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 12

  13. LogFile - overview Meant to guarantee fjle system recovery in case of a system failure Contains lots of detailed historic data Circular 13

  14. LogFile - structure The logfjle consists of record pages Every page has the following header structure Pages contain so-called “LSN records” 14

  15. LogFile LSN record structure Contains redo and undo data Says something about a single change 15

  16. LogFile LSN transactions ● LSN records are part of a transaction ● A transaction is an atomic unit 16

  17. UsnJrnl - overview Also called the “change journal” Very concisely states what changed Goes relatively far back in time Timestamps 17

  18. UsnJrnl - structure No header Consists of lots of USN records Oldest clusters may be deallocated 18

  19. USN record - structure fjle reference number contains: MFT entry number MFT sequence value 19

  20. Model 20

  21. Conclusion: Forensic value ● UsnJrnl usually goes further back in time ● UsnJrnl is more reliably parsed ● Enables timelining LogFile transactions ● Easier to fjnd transactions by fjlename ● Easier to fjnd what fjles were deleted 21

  22. Proof of concept – test case 22

  23. Proof of concept – result 1/3 ##################################################################################### # Current MFT information ############# ##################################################################################### MFT entry number: 41 Sequence value : 3 Currently in use: False -> Historic data in MFT entry, easy to extract File name : password.txt SUMMARY: ╔═════╦═════════════════════════════════════════════════════════════════════════════╗ ║ seq ║ USN record list ║ ╠═════╬═════════════════════════════════════════════════════════════════════════════╣ ║ 1 ║ [3064, 3168, 3272, 3376, 3456, 3536, 3616, 3696, 3776, 3856] ║ ║ 2 ║ [3936, 4096, 4200, 4304, 4392, 4480, 4568, 4656, 4744, 4832] ║ ╚═════╩═════════════════════════════════════════════════════════════════════════════╝ 23

  24. Proof of concept – result 2/3 ===================================================================================== MFT entry 41; Sequence 2 ===================================================================================== USN : 3936 File name: New Text Document.txt Timestamp: 2016-01-29 21:28:11.527128 Reason : FILE_CREATE ╔═══════════════════════════════════════════════════════════════════════════════╗ ║ $LogFile transaction number: 104 ║ ╠══════════╦═════════════════════════════════╦══════════════════════════════════╣ ║ LSN ║ Redo operation ║ Undo operation ║ ╠══════════╬═════════════════════════════════╬══════════════════════════════════╣ ║ 1083171 ║ Set Bits in Nonresident Bitmap ║ Clear Bits in Nonresident Bitmap ║ ║ 1083183 ║ No-Operation ║ Deallocate File Record Segment ║ ║ 1083195 ║ Add Index Entry Allocation ║ Delete Index Entry Allocation ║ ║ 1083222 ║ Initialize File Record Segment ║ No-Operation ║ ║ 1083273 ║ Set New Attribute Sizes ║ Set New Attribute Sizes ║ ║ 1083292 ║ Update Nonresident Value ║ No-Operation ║ ║ 1083316 ║ Set New Attribute Sizes ║ Set New Attribute Sizes ║ ║ 1083335 ║ Forget Transaction ║ Compensation Log Record ║ ╚══════════╩═════════════════════════════════╩══════════════════════════════════╝ 24

Recommend

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting more than one file system type on

546 views • 35 slides
Virtual File System Don Porter CSE 506 History Early OSes provided a single file system

Virtual File System Don Porter CSE 506 History Early OSes provided a single file system

Virtual File System Don Porter CSE 506 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting more than one file

670 views • 37 slides
Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Outline Previously (and Chap 1 & 2 from text) Covered Brief UNIX history/interface UNIX overview - process, shell, file Brief intro to basic file I/O - open(), close(), read(), write(), lseek(), fprintf (library call) Unix System

262 views • 4 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided

Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided

Spring 2017 :: CSE 506 Virtual File System (VFS) Nima Honarmand Spring 2017 :: CSE 506 History Early OSes provided a single file system In general, system was tailored to target hardware People became interested in supporting more

652 views • 40 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

CS 4410 Operating Systems File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system implemented? Layered file system Directory implementation Allocation methods Free-space management 2

453 views • 18 slides
Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally The NFS specification distinguishes between the implemented by Sun Microsystems. services provided by the mount mechanism and the remote file

105 views • 9 slides
File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I.

File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I.

File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I. Seltzer Harvard University Division of Engineering and Applied Sciences File System Performance 3.0 Read Throughput (MB/sec) 2.5 2.0 1.5 1.0

541 views • 42 slides
CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems CPSC 410/611: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

186 views • 14 slides
CS 744: GOOGLE FILE SYSTEM Shivaram Venkataraman Fall 2019 ANNOUNCEMENTS - Assignment 1 out

CS 744: GOOGLE FILE SYSTEM Shivaram Venkataraman Fall 2019 ANNOUNCEMENTS - Assignment 1 out

CS 744: GOOGLE FILE SYSTEM Shivaram Venkataraman Fall 2019 ANNOUNCEMENTS - Assignment 1 out later today - Group submission form - Anybody on the waitlist? OUTLINE 1. Brief history 2. GFS 3. Discussion 4. What happened next? HISTORY OF

371 views • 33 slides
Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Unit OS8: File System 8.3. Encrypting File System Security in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS

250 views • 12 slides
Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals The information on file system API can be found on section 2 (Unix and C system calls ) of the Unix/Linux man pages ~> man S 2 open

559 views • 41 slides

More recommend