Joakim,
I’m not as familiar as I should be about the $Logfile and how certain transactions makes it difficult to present the information in different formats. I didn’t know what was involved when I asked my question so thanks for explaining the challenges with outputting the $LogFile into the log2timeline format.
joakims wrote:
I am wondering how a decoded INDX record as found in $LogFile should be put into that particular format
This is a tough one because the INDX records are for the item when the transaction was recorded. Some of the timestamps (last accessed and modified) may not be as relevant since they only represent a certain point in time. For example, it may show File X was last modified at 11 while the $MFT shows the file was last modified at 12. I can’t think about any cases where knowing the file was changed at 11 before changing at 12 would be useful. As such, I’m not sure how valuable it would be to put the INDX records in the l2t format. It might be easier to leave it the way you currently have it and query it when needed.
joakims wrote:
Then you have challenges like partial information about an $attribute change, where all you have is a fraction of the new attribute, without necessarily having information about the original attribute
I’m not sure how feasible this approach would be but could the focus be on only including certain types of events in l2t format. One option would be to only include the $LogFile transactions that have timestamps tied to them and for only the transactions related to file creations, deletions, and renaming. Even if this was the only information put into L2T format it would still be useful when combined with the data in the $MFT and $UsnJrnl. Here is a partial view showing a file getting created from all three.
http://journeyintoir.blogspot.com/2013/01/layering-data.html
joakims wrote:
So, how would that fit in?
If my previous suggestion isn’t an option then I’m not sure about this one. All I can think about is now I’m even more impressed with tool developers who need to tackle this issues and present the info in a way people can understand.
joakims wrote:
NTFS File Extractor was also updated
Thanks for the pointer. It’s on my list to test out tomorrow. I’m going to mention your tools in my next post since it’s a linkz for tools post.
Corey
↧