DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
383 stars 42 forks source link

How long does NTFS keep transaction logs? #67

Closed CaledoniaProject closed 2 years ago

CaledoniaProject commented 2 years ago

I've exported the transaction logs with:

dfir-orc USNInfo /out:c:\usn.csv

But the earliest logs are from two days ago. I'm wondering if this limitation is from dfir-orc or NTFS itself?

jgautier-anssi commented 2 years ago

Hi CaledoniaProject,

The USN journal is "not" what is commonly described as the "transaction log". This is a journal of changes made to the MFT logged into this journal. You can query it's size and configuration with https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn.

dfir-orc USNInfo dumps the entire journal.

More information can be found in http://www.ntfs.com/transaction.htm about the transaction journal. (currently, there has been no strong justification for us to add the parsing of the transaction log in dfir-orc)

HTH, Jean

CaledoniaProject commented 2 years ago

Thanks, this is very helpful to me.