mmls diskimage.raw
(dapatkan offset partition)
1)
fls -r -i raw -o _offset_diskimage.raw | grep Usn
(dapatkan inode number)
Output:
+ r/r 88280-128-3: $UsnJrnl:$J
+ r/r 88280-128-17: $UsnJrnl:$Max
2)
istat -i raw -o _ofset_ diskimage.raw _inode_number_ (eg: 88280)
Output:
..
..
..
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-1) Name: N/A Resident size: 82
Type: $DATA (128-3) Name: $J Non-Resident, Sparse size: 4731298448 init_size: 4731298448
..
..
3)
icat -i raw -o _offset_ diskimage.raw 88280-128-3 > UsnJrnl.bin
4) To convert to csv, can use:
- https://github.com/jschicht/UsnJrnl2Csv or
- usnj.pl -f UsnJrnl.bin -c > Usnjrnl.bin.csv
refer
https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/amp/
http://az4n6.blogspot.com/2015/03/usn-journal-where-have-you-been-all-my.html
(dapatkan offset partition)
1)
fls -r -i raw -o _offset_
(dapatkan inode number)
Output:
+ r/r 88280-128-3: $UsnJrnl:$J
+ r/r 88280-128-17: $UsnJrnl:$Max
2)
istat -i raw -o _ofset_
Output:
..
..
..
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-1) Name: N/A Resident size: 82
Type: $DATA (128-3) Name: $J Non-Resident, Sparse size: 4731298448 init_size: 4731298448
..
..
3)
icat -i raw -o _offset_
4) To convert to csv, can use:
- https://github.com/jschicht/UsnJrnl2Csv or
- usnj.pl -f UsnJrnl.bin -c > Usnjrnl.bin.csv
refer
https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/amp/
http://az4n6.blogspot.com/2015/03/usn-journal-where-have-you-been-all-my.html
No comments:
Post a Comment
Terima kasih