NTFS Log Tracker

NTFS Log Tracker v1.71

This tool can parse $LogFile, $UsnJrnl:$J of NTFS and carve UsnJrnl record in multiple files(unallocated dump, file slack, pagefile.sys, memory dump, vss, ...).

A input of this tool is sample file extracted by another tool like Encase, Winhex.

If you want to see "Full Path" information, you should input $MFT file.

A default time information is local time(system's time) and timezone is adjustable.

Parsed $LogFile Event

Creating File/Directory(including "File System Tunneling")
Writing Resident/NonResident Data
- Writing Resident Data : "Data offset" means the location of Resident Data within $LogFile.
- Writing Non-Resident Data : "Cluster Number" means "StartClusterNumber(Allocated Cluster Count)" of Non-Resident Data within volume.
Deleting File/Directory
Renaming File/Directory
Moving File/Directory

Parsed $UsnJrnl Event

Event Info : http://msdn.microsoft.com/en-us/library/aa365722.aspx
File Attribute : http://msdn.microsoft.com/en-us/library/gg258117.aspx

User Interface

Update History

v1.71 (2022.02.26)
- The bug of "Suspicious Behavior Detection" function is fixed.
  - The function of "Manipulation of System Time" is not activated to carved UsnJrnl records.

v1.7 (2021.12.01)
- "Suspicious Behavior Detection" function is added.
  - Manipulation of System Time
  - Installation of Suspicious Programs
  - Execution of Suspicious Programs
  - Traces of Suspicious Programs
  - Deletion of Document File
- Parsing algorithm of $LogFile is changed.
  - LFS 2.0 (Win10) is supported.
  - parsing for corrupted $LogFile is enhanced.
- Extracting file deletion event from $LogFile is enhanced.
  - detection to file deletion event with abnormal timestamp
- Analysis of writing content of resident file is enhanced.
  - If there is no data in $LogFile, only writing size is printed.
- The bug of analyzing data run in $LogFile is fixed.
- The bug of extracting file deletion event from $LogFile is fixed
  - The bug that renaming file event is decided to deletion event is fixed.
- Related paper of "Suspicious Behavior Detection" function
  - https://kdfs.jams.or.kr/po/volisse/sjPubsArtiPopView.kci?soceId=INS000009412&artiId=SJ0000000490&sereId=SER000000001&submCnt=1&indexNo=5

v1.6 (2019.11.28)
- "$UsnJrnl record carving" function in multiple files is supported.
  - Receives the folder path as input and performs the carving function for the files stored under the folder (Not Recursive)
  - Carving alignment is adjustable.(Default : 8 byte)
    - For unallocated dump, use 8 byte alignment
    - For file slack files extracted via tools such as FTK, use 1 byte alignment
- Adding columns to the $UsnJrnl analysis
  - Carving Flag => Carved $UsnJrnl records are marked with "Y".
  - FileReferenceNumber
  - ParentFileReferenceNumber
- The analysis of file data write events in $LogFile is improved.
  - For non-resident file
    - the data runs information in file creation event is analyzed.
    - the bug of negative handling in legacy data runs analysis is fixed.
  - For resident file
    - If the real file data is not in $LogFile, the event is excluded.
- The analysis of file deletion events in $LogFile is improved.
  - Missing deletion events when deleting a large number of files at once is fixed.
- The bug of file/directory alias handling in $LogFile is fixed.
  - The events that file/directory name is processed as alias(ex: DOCUME ~ 1.txt) format are changed to the normal file/directory name.
- The bug of separating file/directory is fixed.
  - The bug that all directory-related events were output as file events is fixed.
- "File Name" column is changed to "File/Directory Name".
- CSV Export Function is improved.
  - CSV Export for search result is supported.(GUI Version)
  - The bug of not distinguishing CSV column information when setting DST is fixed.
- The bug of parsing $LogFile is fixed.
- Related paper of "$UsnJrnl record carving in file slack space"
  - https://kdfs.jams.or.kr/po/volisse/sjPubsArtiPopView.kci?soceId=INS000009412&artiId=SJ0000000283&sereId=SER000000001&submCnt=1&indexNo=9

v1.51 (2018.10.26)
- The bug of parsing deconstructed $LogFile is fixed.

v1.5 (2018.07.20)
- The Selection function of Timezone(UTC) is added.
- The Applying DST(Daylight Saving Time) is supported.
- $UsnJrnl Event info is changed.
  - File_Added -> Data_Added
  - File_Truncated -> Data_Truncated
- The speed of exporting CSV file is improved.
- The bug of initialzing $UsnJrnl peroid combo box is fixed.

v1.41 (2016.08.26)
- The bug of parsing $LogFile(Win10) is fixed.
- The Command Line Version is developed.

v1.4 (2015.01.26)
- $UsnJrnl record carving function is added
- Search function is changed.(to only selected columns)
- Non-English keyword search is supported.
- Tab bug is fixed.

v1.32
- The bug of parsing $LogFile is fixed.

v1.31
- The bug of parsing $LogFile is fixed.

v1.3
- The bug of parsing $UsnJrnl is fixed.

v1.2 (2013.11.05)
- The bug of parsing $LogFile is fixed.

v1.1 (2013.07.03)

- Resizing bug is fixed.
- The bug of Renaming Event is fixed.(the event of renaming long file name was not extracted.)
- USN_RECORD_V3 is supported.(But in this case, Full Path Information is not supported.)

v1.0 (2013.02.21)

- Full screen mode is supported.
- Additional information is supported in $LogFile Tab.
  - The "File System Tunneling" Event
  - The target file information on "Writing Data" event
  - The event time on "Deleting File/Directory" and "Renaming File/Directory" event
  - The "Moving File/Directory" event and it's event time
- The "Source Info" column is added in $UsnJrnl Tab

v0.95 (2013.01.23)

- "Search Result" Tab is added.
- Progress bar is added.
- The parsed data is saved to SQLite DB.(for Massive Data)

v0.9 (2013.01.22)

- Initial version

Created by Junghoon Oh(blueangel)

Email : blueangel1275@gmail.com