-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NTFS USN change journal artifact #448
Comments
Blocked on #13 since technically the |
FYI artifact definitions and parsers are not connected in Plaso, so I'm not sure what you tested or intended to test |
What I did is basically the following (image.e01 is the NTFS image, result.plaso is the plaso file, and usnjrnl.yaml contains the artifact definition as given above):
At least Plaso appears to implicitly consider the ADS of $UsnJrnl when interpreting the custom NTFSUsnJrnlFiles artifact. |
You misunderstand the inner workings of Plaso. Artifacts in Plaso are used as collection filters: https://plaso.readthedocs.io/en/latest/sources/user/Collection-Filters.html#using-forensic-artifacts-definitions Your filter tells Plaso to only process a file with path If you specify Internally Plaso looks for the |
That is exactly what I wanted to achieve. I mean, it is basically the same for other artifacts aswell. Take for example the
But that that would also be true when using for example the I can see the point that relying on the artifact consumer to handle ADS correctly (or rather in a certain way) is not an ideal solution, though. But for my specific usecase, it would be sufficient. |
Yes but that is Plaso specific behavior, not related to reusable artifact definitions (which this project is) |
no if you define a filter file (outside the normal evtx file location) and the winevt parser that evtx file will be parsed. This is not the case for $UsnJrnl. Again these are Plaso related questions. |
This is the piece of information I was missing. Thanks for explaining it again! |
From Microsoft Docs:
The USN change journal is a useful artifact to track the creation, modification, and deletion of files in the file system. It is, for example, supported by Plaso with the
usnjrnl
parser.Other than for $MFT and $Logfile, there is no predefined artifact for the corresponding
\$Extend\$UsnJrnl
file that contains the change journal.I suggest adding something along the following to https://github.com/ForensicArtifacts/artifacts/blob/main/data/ntfs.yaml:
I've tested this as a custom artifact definition in Plaso/log2timeline with the
usnjrnl
parser, and it appears to be working.Potentially related issue: #431
The text was updated successfully, but these errors were encountered: