NTFS Journal Forensics

🛑 IMPORTANT! 🛑
Triforce ANJP is no longer available. After you've watched this episode, please check out "Introduction to MFTECmd" which covers the same information in greater detail, and highlights an alternative tool to parse these artifacts. The episode is available here:    • Introduction to MFTECmd - NTFS MFT an...  

As a continuation of the "Introduction to Windows Forensics" series, this episode covers file system journaling in NTFS. From a forensics perspective, there's a large amount of information that can be gleaned from this data, including one of the only ways we can prove if and when something was deleted from an NTFS volume. We'll take a look at the $MFT and the two different journals maintained by this file system ($UsnJrnl and $LogFile), and highlight the differences between them. Then, we'll learn how to use Triforce ANJP to parse these important artifacts.

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

Triforce ANJP Free Edition:
No Longer Available.

Background Music Courtesy of Anders Enger Jensen:
   / hariboosx  

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics