Very interesting - thanks for sharing that!

This is probably a better explanation than I can (quickly) give you: "Deleting the journal is usually safe, but can have consequences. Applications that are using it will not see file changes between the last time the application ran and when the journal was deleted. Well-programmed applications will detect that the journal was deleted and will revert to an alternative method of finding changed files." See: www.wilderssecurity.com/threads/does-delete-the-journal-speed-up-or-keep-an-os-healthy.375079/

I am actually working on an updated episode featuring Eric Zimmerman's MFTECmd, which can be used to parse the $MFT and $J from $UsnJrnl. It does not yet support $LogFile.

@@13Cubed BTW, do you know what happened with gettriforce web-page? Why it doesn't accessible any more?

@@artemermakov261 The author has apparently discontinued the tool. Eric Zimmerman's MFTECmd is a good alternative, and I will have a video covering it later.

Try MFTECmd from Eric Zimmerman, which will parse $MFT and $UsnJrnl (specially the $J ADS). $LogFile support is coming, but not available as of now. I am working on a new episode that will cover this. You can look for it in Q1 of next year.

@@13Cubed much appreciate your response. Thanks and have a rocking successful new year ahead 🤠.

@@13Cubed Thanks for the info. Playing with MFTECmd this weekend. SANS Zimmerman poster also helpful for command syntax and files to export.

That's one use case -- potentially being able to determine that something was deleted, and *when* it was deleted. File renames, moves, and many other OpCodes are tracked by the journals. Check out the follow-up episode here: kzbin.info/www/bejne/laKonYmQf9affbs

@@13Cubed I just used these artifacts in a theft of IP case to locate show that a document existed on the users desktop at some point. Thanks for the informative video.

No, if a file is overwritten with null bytes or random data, your best bet for recovery would be via volume shadow copy, if the file happened to still be present in one of those copies.

Thanks - and to answer your question, yes and no. There is a free version of the tool, which is what I was using here. There is also a paid commercial version available that provides additional features. And regarding your request -- that's actually in-work. It's a scenario-based episode involving IP theft, showing triage image acquisition and analysis.

13Cubed I just downloaded it today at work! Going to give it a go later. Can’t wait for that video. It will be awesome!

You'll find a file renames section within ANJP. Shimcache may also help you here (for executables). If an executable is renamed, it will be re-shimmed. If the M times tracked by the shimcache match exactly (especially up to 64-bit resolution), there is high confidence you are looking at the same file. Also, shimcache parsing tools will place the newest (most recently shimmed) entries at the top of the list. So, if you see evil.exe with X M-Time, and then above that you see svchost.exe with the same X M-Time, you're probably looking at the same file that has been renamed from evil.exe to svchost.exe.

@@13Cubed Thanks for fast reply. After watching another tutorial (webinar) I have found the solution. If you click on "usn record listing" (the one that shows all the transaction events), you can check the "usn record reason" for the file or directory and the most important "usn rcd file ref#". So in a nutshell if the file has been renamed, you can filer by the "usn rcd file ref#" and it will show you original and the renamed file. That doesn't apply if you change the directory of the file for some reason. Hope that makes sense. The webinar I was talking about kzbin.info/www/bejne/sHy9nYueipeAgLM - the renaming solution starts at 27:30. I would like to add one more thing when you are looking for directory or a file/files that you don't know the full name or path use the %% syntax. Eg: "%\Users\Delikwent\Desktop\secret%" Cheers.

See the video's description :) "Triforce ANJP is no longer available. After you've watched this episode, please check out "Introduction to MFTECmd" which covers the same information in greater detail, and highlights an alternative tool to parse these artifacts."

The developer discontinued it. Notice the description of the episode which points you to a new episode and a new tool: kzbin.info/www/bejne/laKonYmQf9affbs

@@13Cubed I see. Ill check out the video but I did really like the simplicity of anjp

@@smh4536 I think you'll like MFTECmd for parsing the $MFT and $UsnJrnl (no $LogFile support yet). It's very straightforward and easy to use.

Not sure I understand what you are asking. The MFT will point to the cluster run on disk (unless the file is resident), and there would be logfile transactional data to accompany that file (depending on the timeframe, of course).

@@13Cubed another question, is it possible to clean logfile without reformating the drive ?

You can boot from a usb and mount the windows partition. The $ files are hidden so just open the terminal and type file “$MFT”