tag:blogger.com,1999:blog-4080617372940068027.post1742656904918560466..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Layering DataCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4080617372940068027.post-15028375215496979442013-01-25T22:23:33.063-05:002013-01-25T22:23:33.063-05:00@Kx499
I agree some information recorded in the $...@Kx499<br /><br />I agree some information recorded in the $LogFile and $UsnJrnl is similar. Both record actions taking against a file such as creation, deletion, and renaming. However, there are some notable differences such as the $LogFile logs timestamps. To get a better idea about the differences between these files I would read David's posts:<br /><br />http://hackingexposedcomputerforensicsblog.blogspot.com/2013/01/happy-new-year-new-post-ntfs-forensic.html<br /><br />then<br /><br />http://hackingexposedcomputerforensicsblog.blogspot.com/2013/01/ntfs-triforce-deeper-look-inside.html<br /><br />One thing to keep in mind is that $UsnJrnl didn't start being used by default until Vista. I have never seen a $UsnJrnl file on a XP machine while I have seen $LogFile on both XP, Vista, and 7.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-83890518472958486042013-01-23T23:15:39.573-05:002013-01-23T23:15:39.573-05:00Great post, great information. I am struggling wit...Great post, great information. I am struggling with the difference between the $logfile and $usnjrnl arctifacts...They seem to contain similar type of information,i just don't get why an artifact would be in one vs the other. Any light you could share on that would be appreciated.Kx499https://www.blogger.com/profile/00914036368917731670noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-30866896493947711402013-01-22T07:57:57.049-05:002013-01-22T07:57:57.049-05:00Great stuff, Corey, thanks for sharing!Great stuff, Corey, thanks for sharing!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com