tag:blogger.com,1999:blog-2456910508235577340.post7652057513639602072..comments2024-03-03T22:38:30.152-07:00Comments on Another Forensics Blog: USN Journal: Where have you been all my lifeMari DeGraziahttp://www.blogger.com/profile/07035429062451749639noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-2456910508235577340.post-92011980638802994062015-10-09T14:06:18.918-07:002015-10-09T14:06:18.918-07:00TZ Works also puts out a great USN Journal parser,...TZ Works also puts out a great USN Journal parser, jp64.exe, which provides the full path and great reference points as far as where something existed on the MFT. Thanks for this info!!Christinanoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-38063157397389159422015-03-06T12:57:35.188-07:002015-03-06T12:57:35.188-07:00Awesome! Thanks.Awesome! Thanks.Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-53466827527163851812015-03-06T12:33:22.474-07:002015-03-06T12:33:22.474-07:00I've got a USN parser here that you can supply...I've got a USN parser here that you can supply the MFT to and it will print the full path, if you don't want to run the full TriForce tool on it:<br /><br />https://github.com/superponible/DFIRDave Lassallehttps://www.blogger.com/profile/11247452583345130208noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-76790881341640900052015-03-04T13:52:09.180-07:002015-03-04T13:52:09.180-07:00Thanks for providing such a helpful script to the ...Thanks for providing such a helpful script to the community. :)Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-90298657861796318912015-03-04T12:28:55.033-07:002015-03-04T12:28:55.033-07:00Mari,
Yet another excellent post! I've found...Mari,<br /><br />Yet another excellent post! I've found a great deal of value in the USN Change Journal, either during exams where IR has been relatively soon after the compromise of the system, or if I'm testing various malware. This is the reason I wrote the change journal parser...so that I could add the info to a timeline. This has been really helpful...thanks for highlighting the value of this data source again!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com