TRIFORCE ANJP. THE POWER TO PROVE sm USER S GUIDE USER S GUIDE TRIFORCE ANJP VERSION 3.10

Transcription

1 TRIFORCE ANJP THE POWER TO PROVE sm USER S GUIDE USER S GUIDE TRIFORCE ANJP VERSION 3.10

2 TRIFORCE ANJP USER S GUIDE 2 Contents LET'S BEGIN... 5 SAY HELLO TO ANJP... 5 RUNNING ANJP... 6 Software Activation... 6 Online Activation... 6 Offline Activation... 7 ANJP S USER INTERFACE MENU BAR File Menu Connections Menu PARSE STATUS Saving the Progress Log PROCESS TAB Case Information Case Options REPORTS TAB Database Connection Reports Tab Panes Report Options Report Navigation THE POWER OF PARSE AND PROCESS PARSING FILES CONNECTING TO A DATABASE PROCESSING EVENTS Event Selection MFT File Lists Creating a Custom File List Adding MFT File Lists VIEWING REPORTS THE REPORTS LIST Viewing a Report MFT Reports MFT File Listing MFT Filelist Hits LogFile Reports File Interactions Overview LogFile Events USN Reports USN Record Listing USN Events Other Reports Log2Timeline Events Summary FILTERING DATA... 29

3 TRIFORCE ANJP USER S GUIDE 3 FILTERING REPORTS Filter Logic Columns, Conditions, and Values Integers Timestamps Strings Event IDs Creating Filters Additional Filter Options Exporting and Importing Filters Clearing Filters Removing Individual Filters Exporting Filtered Data EXPORTING REPORTS EXPORTING REPORTS Exporting Reports to a File Sending Reports to ElasticSearch APPENDIX A: NTFS BASICS Overview The MFT The LogFile The USN Journal Extracting NTFS Files: MFT, LogFile, and USN APPENDIX B: COLUMN REFERENCE MFT REPORTS MFT File Listing MFT Filelist Hits LOGFILE REPORTS File Interactions Overview LogFile Events USN REPORTS USN Record Listing USN Events OTHER REPORTS Log2Timeline Events Summary... 51

4 TRIFORCE ANJP USER S GUIDE 4 [This page intentionally left blank.]

5 TRIFORCE ANJP USER S GUIDE 5 Let's Begin Say Hello to ANJP ANJP provides a novel way of linking information contained in three important NTFS files that are responsible for maintaining the file system: The MFT, LogFile, and USN. Fullpath enumeration in the LogFile and USN through Rollback. By linking the LogFile and USN to the MFT, the fullpath (path and filename) for a given record within a LogFile or USN record can be enumerated. However, this linkage cannot be used to maintain fullpaths while parsing the entire LogFile or USN Journal. This is because as records are added to the LogFile and USN files can be deleted, created, and renamed, which potentially changes the path or filename for a given MFT entry. To overcome this, it is necessary to roll back the LogFile and USN to affect the correct fullpath for a given entry. Thus, parsing the LogFile and USN records from newest to oldest records, and applying changes to the fullpaths as files are deleted, created, and renamed results in the knowing exactly where a file was located and what its name was, when a change occurred. Find evidence of changes that happened in the past easily with Event Searching. A key feature of ANJP is its ability to search for events using Event Signatures within the LogFile and USN. There are two kinds of signatures that can be searched for: Predictable Sequence of Operations (PSO Events) and Presence of a Series of Indicators (PSI Events). PSO Events: A PSO Event is a predictable sequence of operations that occurs within a transaction. A transaction contains many different kinds of operations that are performed by the file system when something is changed, and each change that occurs results in a transaction with a particular set of operations that are specific to that type of change. PSO events search every transaction in either the LogFile, or the USN to determine if transactions contain matching criteria. PSO events include file and folder deletions, creations, renames, moves, and more. PSI Events: A PSI Event is the presence of a series of indicators that are not contained within one transaction and span multiple types of transactions within the LogFile or the USN. When ANJP searches for PSI events, it searches the entire LogFile or USN for matching criteria to show that an event has taken place. This can include virus infections, application installation, application usage, file wiping and more. Export Your Data. While realizing the need to use external software to analyze parsed data, ANJP provides options for exporting full reports, or only selected rows to an excel spreadsheet or a delimited text file. If an ElasticSearch node is available, users have the option to send individual reports to take advantage of ElasticSearch s powerful indexing and searching capabilities. Filters. Finally, ANJP s user interface also supports applying filters to report data, effectively narrowing down a large report to what is relevant.

6 TRIFORCE ANJP USER S GUIDE 6 Running ANJP ANJP is a stand-alone program that requires no installation. However, before ANJP can be used it must first be activated. See Software Activation in the next section of this chapter. Once ANJP is activated, simply double-click the executable to begin using ANJP. When ANJP runs for the first time, a folder is created in the directory it is executed from. The folder, named event_rules contains the xml event rules or event signatures to be used by ANJP when processing events. Software Activation There are two ways that ANJP can be activated: Online Activation and Offline Activation. Online Activation: Used to activate a machine that has an internet connection. See Online Activation in the next section. Offline Activation: Used to activate a machine that does not have an internet connection. See Offline Activation on page 7. Online Activation 1. Create a folder that will be used to store the ANJP executable provided, in addition to the license files generated in the upcoming steps. 2. Double-click the ANJP executable provided to begin the online activation process. 3. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 4. If this is the machine that will activated for use, click Yes. If this is not the Machine that will be activated for use click No and follow the instructions provided in Offline Activation on page 7.

7 TRIFORCE ANJP USER S GUIDE 7 5. Enter the Order Id that was provided when your ANJP license was purchased. The Activation Id field is automatically populated. 6. Click Submit. Upon clicking Submit, the License will be created. They should remain in the same folder as the ANJP executable. Note Do not delete or modify the license files, or move the license files outside of the folder containing the ANJP executable. 7. ANJP is now activated for use. Offline Activation To activate a machine that does not have an internet connection (The Offline Machine), a machine that does have an internet connection (The Online Machine) is used to activate the Activation ID generated by the Offline Machine. The Offline Machine: A machine that will be licensed for use but does not have an internet connection. The Online Machine: A machine that will not be licensed for use but is connected to the internet and will be used to complete activation on behalf of the Offline Machine. Generating an Activation Id for the Offline Machine 1. Within the Offline Machine, create a folder that will be used to store the ANJP executable.

8 TRIFORCE ANJP USER S GUIDE 8 2. Double-click the ANJP executable to begin the offline activation process. 3. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 4. If this IS the machine that will be activated for use, click Yes. 5. By clicking Yes, the Activation Id field will be automatically populated with the Activation ID of the Offline Machine. 6. To save the Activation Id to a text file, click Export. In the resulting window, navigate to the location to save the text file and specify the filename to use. Click Save.

9 TRIFORCE ANJP USER S GUIDE 9 Generating the License Files using the Online Machine 7. Within the Online Machine, copy the ANJP executable provided to a folder of choice. Remember the location of the executable as the license files generated in step 14 will be saved here. 8. Double-click the ANJP executable to start the activation process on the Online Machine. 9. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 10. In the resulting Activation window, click No since this IS NOT the machine that will be activated for use. (This is the Online Machine, and is being used as an intermediary in the activation process) 11. Copy the text file from the Offline Machine created in step 6, to a folder on the Online Machine. 12. Within the ANJP Activation Tool window, click Import. Navigate to the location of the text file that was copied from the Offline Machine and click Open. This will populate the Activation Id field with the ID contained in the text file and was generated by the Offline Machine in step 5. STOP: Before proceeding to the next step, ensure that the Activation ID supplied was generated by the Offline Machine to be activated for use and IS NOT the Activation ID of the machine that is performing the activation request on behalf of the Offline Machine.

10 TRIFORCE ANJP USER S GUIDE In the Order Id field, enter the Order ID that was provided when your ANJP license was purchased. 14. Click Submit. Upon clicking Submit, the license files will be created in the folder that ANJP was executed from. Copying the License Files from the Online Machine to the Offline Machine 15. Copy the license files that were created on the Online Machine to the Offline Machine, placing them into the same folder as the ANJP executable to be run. Note Do not delete or modify the license files, or move the license files outside of the folder containing the ANJP executable. 16. When ANJP is run from the Offline Machine, it will check the activation status using the license files copied. If the check is successful, ANJP will be ready for use on the Offline Machine.

11 TRIFORCE ANJP USER S GUIDE 11 ANJP s User Interface This chapter discusses the layout and features of the ANJP user interface. Menu Bar Use the Menu Bar to access ANJP s core features. There are two items in the Menu bar: the File Menu and the Connections Menu. File Menu The File Menu provides access to features related to processing events. Event Selection: Used to open the Events window. The Events window is used to customize the events to include when processing events is initiated. See Event Selection on page 22. Process Events: Used to initiate processing events on a database that is currently connected in the Reports tab. See Processing Events on page 22.

12 TRIFORCE ANJP USER S GUIDE 12 Connections Menu The Connections menu provides access ElasticSearch configuration settings. ElasticSearch: Used to open the ElasticSearch Connection window. The ElasticSearch window is used to enter node information and establish a connection to an ElasticSearch service using the node information provided. See Sending Reports to ElasticSearch on page 36. Parse Status The Process tab contains visual indicators and information that reveal the status of ANJP s parsing and processing of events. Progress Bar: Used to view the real-time progression through each stage of parsing or processing events. Progress Log: Used to log information related to each stage of parsing or processing events. This includes: starting status, finished status, descriptions of actions performed, the number of events found, and any events that may have been skipped. Saving the Progress Log The contents of the Progress Log can be saved by clicking Save Log, and specifying the path and filename of the output file.

13 TRIFORCE ANJP USER S GUIDE 13 Process Tab The Process tab is used to enter case information, select the NTFS files be parsed and processed, set case options, select events, and to initiate parsing and processing of events. Case Information Use the Case Information fields to specify a Case Name, Case Path, and locations of the NTFS files to be parsed. When parsing is initiated, ANJP uses the information provided in these fields to create an ANJP database. Case Name: Used to name the ANJP created database. This field is required to parse files. Case Path: The location to save the database. This field is required to parse files. MFT: The path and filename of the MFT file to be parsed. This field is required to parse files. LogFile: The path and filename of the LogFile file to be parsed. This field is optional. USN: The path and filename of the USN file to be parsed. This field is optional.

14 TRIFORCE ANJP USER S GUIDE 14 Case Options Use Case Options to adjust settings related to parsing files. Options Button: Used to open the Options window. The Options window is used to adjust parse settings including: Timezone, Cluster Size, and MFT Entry Size. See Parsing Files on page 18. Process Events After Parsing: Used to initiate event processing immediately after parsing has completed. This is checked by default. Uncheck to disable processing events after parsing. See Processing Events on page 22. Event Selection: Used to open the Events window. The Events window is used to customize the list of events to be included when processing events is initiated. By default, all events are selected for inclusion. See Event Selection on page 22.

15 TRIFORCE ANJP USER S GUIDE 15 Reports Tab The Reports tab contains features and panes that relate to connecting to a database and viewing reports. Database Connection Database Connection options are related to connecting to an ANJP database. Database Field: The path and filename of the ANJP database to connect to. Connect Button: Used to connect to the database specified in the Database field. Database Connection Status: Used to display the connection status of a database opened using the Database field and Connect button.

16 TRIFORCE ANJP USER S GUIDE 16 Reports Tab Panes The Reports Tab Panes contain features that allow for selecting, viewing, and navigating through reports. The Reports List Pane: Contains the list of reports available for viewing. Expand or collapse the list by clicking the or icons, respectively. Open a report by double-clicking the report to be viewed. See Viewing a Report on page 26. Note Empty reports will also be listed in the Reports List Pane. An opened report that is empty will have column headers, but no row data. The Report View Pane: Displays the contents of a report that was opened from the list of reports in the Reports List Pane.

17 TRIFORCE ANJP USER S GUIDE 17 Report Options Report Options are used to filter or export a report that is currently loaded into the Report View Pane. Filter Button: Used to open the Filter window. The Filter window provides access to options related to filtering report data and managing filter lists. See Filtering Reports on page 29. Export Button: Used to open the Export window. The Export window provides access to options related to exporting report data. See Exporting Reports to a File on page 35. Report Navigation Report Navigation is used to navigate through a report currently loaded into the Report View Pane. See Viewing a Report on page 26. Navigation Buttons: Used to navigate to the next or previous page of a report that contains more than 5,000 rows of data. Row Range Status Bar: Located in the status bar, the Row Range is used to determine the range of rows, or row numbers currently loaded into view. ANJP displays 5,000 rows of report data at a time.

18 TRIFORCE ANJP USER S GUIDE 18 The Power of Parse and Process ANJP s Power of Parse rests in its ability to scour the MFT and assess the current state of the file system and dredge the LogFile and USN to discover changes that occurred in the past. ANJP s Power of Process is the amplification of its parsing power via Processing Events. The LogFile and USN can be searched to identify the presence of historical events related to file creations, deletions, renames, wiping, virus infections, cd burning, software usage, and more. Parsing Files The goal of parsing is to create an ANJP database. This is the first step towards gleaning information from the file system to be analyzed. In this exercise, a new case will be started by inputting the Case Information to be used to create a database. The completion of this exercise will result in an ANJP database to be used in upcoming sections of this guide. Acquire NTFS files 1. See Extracting NTFS Files: MFT, LogFile, and USN on page 39. Start ANJP 2. Open ANJP and go to the Process tab. Enter Case Information. See Case Information on page In the Case Name field, enter a name that will be used for the ANJP database created. Note The Case Name field accepts alpha-numeric characters, spaces, dashes - and underscores_ only. Special characters are not permitted. 4. In the Case Path field, enter the location to save the database. Alternately, click the Browse button and navigate to the folder to save the ANJP created database. 5. In the MFT, LogFile, and USN fields, enter the path and filename of each file to be used in parsing. Alternately, click the Browse button and navigate to each file s location, or drag-anddrop each file into its respective field within ANJP. Note The MFT field is always required when parsing. The LogFile and USN fields are optional.

19 TRIFORCE ANJP USER S GUIDE 19 To Process or Not to Process. See Processing Events on page The Process Events After Parsing checkbox is checked by default. Uncheck this option to disable event processing immediately after parsing has completed. Customizing Event Processing. See Event Selection on page If events are to be processed immediately after parsing, the events to be included in processing can be customized. Click Events Selection in the Process tab to open the Events window. 8. Select the events from the lists provided that are to be included when event processing is initiated. Additionally, this window allows you to provide a custom list of search terms to be used against the MFT to find matching filenames or fullpaths. See MFT File Lists on page 23 for more information. Specifying Case Options. 9. Within the Process Tab, click the Options button to open the Options window. Select the Timezone, Cluster Size, or MFT Entry Size where appropriate. Option Timezone Cluster Size MFT Entry Size Description Change the default time zone of UTC (Coordinated Universal Time) to a time zone from the drop-down list provided. The time zone selected will be applied to all timestamps parsed from the NTFS files selected. Change the default cluster size of If the source volume of the NTFS files to be parsed was formatted using a size different from the default value, select the correct value from the list provided. Change the default MFT entry size of If the entry size of the MFT file to be parsed is different from the default size, use this option to select the correct value from the list provided.

20 TRIFORCE ANJP USER S GUIDE 20 WARNING: If the correct cluster size or MFT entry size were not selected at parse time, the resulting parsed information will not be complete. For example, an incorrect cluster size will effect fullname enumeration during LogFile parsing. It is recommended that you verify the cluster size used to format the selected NTFS files source volume. In addition, verifying the entry size of the MFT file to be parsed is also recommended. Click Parse 10. Click Parse. Clicking Parse will parse data from the NTFS files specified in step 4, and place the data into an SQLite database using the name specified in step 3 (Case Name) and the path specified in step 4 (Case Path).

21 TRIFORCE ANJP USER S GUIDE 21 Connecting to a Database The next step to analyzing the file system is connecting to an ANJP created database. If a database has not yet been created, refer to Parsing Files on page 18. Start ANJP 1. Open ANJP and go to the Reports tab. 2. In the Database field, enter the path and filename of the ANJP created database file. Alternately, the database file can be dragged-and-dropped directly into the Database field, or click Browse and navigate to the database file s location. Connect to the Database 3. With the Database field populated, click Connect. Processing Events on a Connected Database. Follow the instructions provided in steps 4-7 to process events on a connected database. See Processing Events on page 22 for more information. 4. Go to File > Event Selection in the menu bar to open the Events window. 5. Select the events from the lists provided that will be included when event processing is initiated. Additionally, you can provide a custom list of search terms to be used against the MFT to find matching filenames or fullpaths. See MFT File Lists on page 23 for more information. 6. Initiate event processing by going to File > Process Events in the menu bar. Note There are no limitations on the number of times that a database can be processed for events.

22 TRIFORCE ANJP USER S GUIDE 22 Processing Events The MFT, LogFile, and USN can contain copious amounts of information. Manually sorting through hundreds of thousands of parsed records would be time consuming and expensive. Event Processing attempts to overcome the vast stores of mined data by using event signatures. Event signatures are used by ANJP to zero in on specific type of events that take place within the file system that include but are not limited to: file creations, deletions, renames, application usage, file wiping, and more. There are two different scenarios where event processing can be initiated: When Parsing Files. See Parsing Files on page 18. Process Tab > Process Events After Parsing Checkbox: When parsing NTFS files for the first time, the Process Events After Parsing checkbox will initiate event processing immediately after parsing has completed. You can customize the events to be included using Event Selection through the Events window. See Event Selection on page 22. While Connected to a Database. See Connecting to a Database on page 21. File Menu > Process Events: When connected to a database, you can process events by selecting File > Process Events from the Menu bar. See Processing Events on page 22. Event Selection Event Selection is used to customize the events to be included when event processing takes place. To customize events, open the Events window in one of the following ways: Process Tab > Event Selection File Menu > Event Selection

23 TRIFORCE ANJP USER S GUIDE 23 Place a check next to each event to be included when events are processed. Adding MFT File Lists The Events window also provides the option to add MFT File Lists. Refer to MFT File Lists in the next section. MFT File Lists MFT File Lists are text files containing a list of search terms which are used by ANJP to search for matching fullpaths or filenames within the MFT File Listing report. MFT File Lists can be added to the Events list so that a custom list of files and folders can be used when event processing is initiated. Creating a Custom File List Before you can add a file list to the Events list, you must first create one. Therefore, you should be familiar with what is considered acceptable for use as an MFT File List. File Name and Full Path Terms: An acceptable file list must include terms that are all structured the same. Terms that are structured as filenames cannot be combined in the same file list with terms that are structured as fullpaths, and vice versa. Regex and String Terms: The terms in the file list must all be interpreted the same way by ANJP. Terms that are regular expressions cannot be combined with terms that are strings within the same file list, and vice versa. When you add a file list to ANJP, you must select the search type for the list: Regex or String. Therefore, if you include regular expressions within you file list, and you select String as the search type, regular expressions will not be interpreted as such. Open a Text Editor 1. Open a text editor to begin adding terms to the file list. Add terms to your list 2. Each term in your list should be placed on a new line within the list. Refer to the Sample File List on the next page for an example of what an MFT File List contains.

24 TRIFORCE ANJP USER S GUIDE 24 Sample File List The file list below contains a list of regular expressions that can be used by ANJP to find matching fullpaths within the MFT File Listing report. Terms Used: ^\\users\\.{1,}\\appdata\\local\\temp\\.{1,}[.]exe Match any filename with an exe extension located in \user\{any users}\appdata\local\temp ^\\users\\(.{1,}\\)+.{1,}[.]lnk$ Match any filename in any folder under the directory \users\ and has the extension.lnk ^\\Windows\\Prefetch\\.{1,}[-][A-F0-9]{1,8}[.]pf$ Match any filename in the folder \Windows\Prefetch\ that contains a followed by up to 8 characters A though F, or 0 through 9, and has the extension.pf. Adding MFT File Lists With a file list created, it can be added to the list of events. If a file list has not been created, see Creating a Custom File List on page 23. Start ANJP 1. Open ANJP and go to the Process tab. 2. Open the Events window by clicking the Event Selection button, or go to File > Event Selection from the menu bar. Opening the MFT File List Window 3. Open the MFT File List window by clicking the Add MFT File List button. Configuring the MFT File List Event 4. In the Id Name field, type a unique name for the MFT File List event to be created. 5. In the Filelist field, type the path and filename of the list, click Browse and navigate to the location of the list, or drag-and-drop the list directly into the Filelist field.

25 TRIFORCE ANJP USER S GUIDE Select the appropriate Case, Search Type, Match Value, and Encoding options that reflect the contents and type of search to be used. See Table 1 below for descriptions of each option. Table 1: MFT Filelist Options CASE SEARCH TYPE MATCH VALUE ENCODING OPTIONS insensitive sensitive string regex file name full path ANSI UTF-8 (No BOM) UTF-8 USC-2 (LE) USC-2 (BE) DESCRIPTION Ignore the character case. Find matches using the same character case as the search term. The file list is a list of strings. The file list is a list of Perl Regular Expressions. Match only file or folder names. Match full paths. Non-Unicode text file. Unicode text files without byte-order mark. Unicode text files with byte-order mark. 2-byte Universal Character Set text file. (Little Endian) 2-byte Universal Character Set text file. (Big Endian) Adding Your MFT File List Event 7. In the MFT File List window, click Create. The file list will be added to the Events window as an MFT Event. Deleting an MFT File List Event 1. To delete an MFT File List, highlight the MFT Event to be deleted and click Delete MFT Event in the Event Selection window. This will remove the MFT Event from the list.

26 TRIFORCE ANJP USER S GUIDE 26 Viewing Reports This chapter discusses the reports that are stored within an ANJP created database after parsing and processing NTFS files, and are available for viewing. The Reports List The Reports List, located in the Process Tab > Reports List Pane contains the parent item reports, which is divided into four categories: MFT, LogFile, USN, and Other. Reports listed under those categories can be selected for viewing. Viewing a Report Start ANJP 1. Open ANJP and go to the Reports tab. 2. Connect to an ANJP created database. Opening a Report 3. Expand the Reports List by clicking the icons. Open a report by double-clicking the report to be viewed. Note While a report is being loaded into view, you will not be able to perform additional tasks within ANJP. The time it takes to open a report depends on the amount of data it contains. The larger the report, the longer it will take to open.

27 TRIFORCE ANJP USER S GUIDE 27 MFT Reports MFT Reports are report views generated by ANJP after parsing the $MFT and processing events. MFT File Listing This report contains the record entries that were parsed from the $MFT. See the MFT File Listing report reference on page 41 for a complete list of column names and descriptions contained within this report. MFT Filelist Hits This report contains a listing of hits found after processing MFT Events against the MFT File Listing report. See the MFT Filelist Hits report reference on page 42 for a complete list of column names and descriptions contained within this report. Note If no MFT Events were found during processing or no MFT Events were selected using Event Selection this report will be empty. See Event Selection on page 22 and MFT File Lists on page 23 for information about how to include these types of events when event processing is initiated. LogFile Reports LogFile Reports are report views generated by ANJP after parsing the $LogFile and processing events. Note If a LogFile was not selected for parsing when the database was first created, all LogFile reports will be empty. File Interactions This report contains records parsed from the $LogFile that relate to file and folder changes. See the File Interactions report reference on page 43 for a complete list of column names and descriptions contained within this report. Overview This report contains all records parsed from the $LogFile. It focuses on more LogFile detail than file detail within the records. See the Overview report reference on page 45 for a complete list of column names and descriptions contained within this report. LogFile Events This report contains a listing of hits found after searching for LogFile events within the File Interactions report. See the LogFile Events report reference on page 46 for a complete list of column names and descriptions contained within this report. The following scenarios will result in an empty LogFile Events report: No LogFile was selected when the database was first created. See Parsing Files on page 18. Event processing was not performed on the database. See Processing Events on page 22.

28 TRIFORCE ANJP USER S GUIDE 28 Event processing was performed but no LogFile events were selected using Event Selection. See Event Selection on page 22. Event processing was performed but no LogFile events were found. USN Reports USN Reports are report views generated by ANJP after parsing the $UsnJrnl:$J (USN) and processing events. Note If a USN was not selected for parsing when the database was first created, all USN reports will be empty. USN Record Listing This report contains all records parsed from the USN. See the USN Record Listing report reference on page 49 for a complete list of column names and descriptions contained within this report. USN Events This report contains the hits found after processing USN events against the USN Record Listing report. See the USN Events report reference on page 50 for a complete list of column names and descriptions contained within this report. The following scenarios can result in an empty USN Events report: No USN was selected for parsing when the database was first created. See Parsing Files on page 18. Event processing was not performed on the database. See Processing Events on page 22. Event processing was performed but no USN events were selected using Event Selection. See Event Selection on page 22. Event processing was performed but no USN events were found. Other Reports Other Reports contains additional reports available for viewing. Log2Timeline This report consolidates rows with timestamp information from the MFT File Listing, LogFile File Interactions, and USN Record Listing reports into a Log2Timline format. See the Log2Timeline report reference on page 51 for a complete list of column names and descriptions contained within this report. Events Summary This report contains statistics related to event processing which includes the event IDs and hit counts for each event that was included when event processing was initiated. See the Events Summary report reference on page 51 for a complete list of column names and descriptions contained within this report.

29 TRIFORCE ANJP USER S GUIDE 29 Filtering Data This chapter discusses filtering a report currently being viewed. Filtering Reports Report data within ANJP can contain such a wealth of information, that finding relevant information may feel like trying to find a needle in a haystack. Filters help to narrow the report data haystack down to a manageable size. ANJP filters narrow report data using Logic, Columns, Conditions, and Values. Filter Logic Logic is used to enhance the filtering process by comparing multiple filters and decide if the filtered data should match all criteria (AND), or only needs to match one (OR). AND: Show filtered data where filter criteria 1 is true and filter criteria 2 is true. Scenario: Filter for all.doc files created in February of Criteria 1: Filename contains.doc ; AND, Criteria 2: SIA Created Time contains OR: Show filtered data where filter criteria 1 is true or filter criteria 2 is true. Scenario: Filter for files that have an extension of either.doc or.xls. Criteria 1: Filename contains.doc ; OR, Criteria 2: Filename contains.xls

30 TRIFORCE ANJP USER S GUIDE 30 Columns, Conditions, and Values When adding filters in the Filter window, the Column selected determines what Conditions can be used and how the filter Value should be formatted. There are four types of Columns that determine what Conditions can be selected: Integers, Timestamps, Strings, and Event IDs. Integers When the Column selected contains integers, use values that are integer based. Condition Description Sample Value For column selected, find a row that contains: == Equals Integers equal to < Less than 1024 Integers less than 1024 <= Less than or equal to 4096 Integers less than or equal to 4096 > Greater than Integers greater than >= Greater than or equal Integers greater than or equal to != to Not equal to 1 Integers not equal to 1 <> Not equal to 0 Integers not equal to 0 Timestamps When the Column selected contains timestamps, use values that match the selected column s timestamp format. When using the Conditions LIKE or NOT LIKE, format the value using SQLite LIKE syntax, where the wildcard % is used to represent anything.

31 TRIFORCE ANJP USER S GUIDE 31 Condition Description Sample Value For column selected, find rows that are: < Before Timestamps before :00: > After Timestamps after :00: LIKE Contains :% Timestamps in the twelfth hour of January 01, 2011 NOT LIKE Not contains 2014%:24:% Timestamps not at the 24 th minute in the year 2014 Strings When the Column selected contains strings, use values that are string based. Condition Description Sample Value For column selected, find rows that are: LIKE Contains \Users\Admin Strings containing \Users\Admin NOT LIKE Not contains Directory Strings not containing Directory REGEXP Regular expression \\Windows\\.{1,} Strings matching \Windows\ followed by anything Event IDs When the Column selected contains Event IDs, the values will be in the form of a dropdown list containing Event IDs present in the current report. Condition Description Sample Item For the column selected, find rows that are: LIKE Contains Creations Creation events NOT LIKE Not contains Deletions Not Deletion events

32 TRIFORCE ANJP USER S GUIDE 32 Creating Filters Start ANJP 1. Start ANJP. Go to the Reports tab and connect to a database. 2. Double-click a report from the Reports List to open it for viewing. Opening the Filter Window 3. Open the Filter window by either clicking the Filter button, or by right-clicking a cell within the report and selecting Filter By Value. Configuring the Filter 4. With the Filter window open, select the Logic, Column, and Condition for the filter using the drop-down lists provided. See Columns, Conditions, and Values on page Enter a value in the Value field. Alternately, if the Filter By Value option was used, the Column drop-down and Value field will be automatically populated. Select a Condition from the dropdown list provided.

33 TRIFORCE ANJP USER S GUIDE 33 Adding the Filter 6. Click Add to add the configured filter to the list. Filtering the Report 7. Click the Filter button to filter the report currently in view. Note While filters are being applied to the report, you will be unable to perform additional tasks within ANJP. The amount of time it takes to filter a report depends on how large the report is and how many filters are being applied. Additional Filter Options Exporting and Importing Filters When ANJP is closed, filters added during that session will be forgotten. Filters can be exported so that they may be imported and re-used at a later time. Exporting Filters: In the Filter window, click the Export button to export the filters for the report currently in view. Importing Filters: To import previously exported filters, click the Import button and select a filters file that is valid for the report currently in view.

34 TRIFORCE ANJP USER S GUIDE 34 Note When exporting and importing filters, keep in mind that every report within ANJP has a different combination of columns. Filters created for one report might not be valid for another report. Therefore, It is recommended that the filename of the exported filters should include the name of the report to which the filter applies. Example: mft_file_listing-file_rcd_filter.txt Clearing Filters In the Filter window, use the Clear button to remove all filters from the filter list and return the report to its unfiltered state. Removing Individual Filters In the Filter window, remove individual filters by highlighting the filter to be removed and clicking Remove. Exporting Filtered Data If filters are applied to the report currently in view, export the filtered report by clicking Export in the Reports tab. See Exporting Reports to a File on page 35.

35 TRIFORCE ANJP USER S GUIDE 35 Exporting Reports This chapter discusses the export options available for a report currently being viewed. Exporting Reports ANJP provides a number of options to export report data. Entire reports, filtered reports, or only selected rows can be exported to a text file or an Excel spreadsheet. Exporting Reports to a File Start ANJP 1. Start ANJP. Go to the Reports tab, and connect to an ANJP database. 2. From the Reports List, double-click a report to open it for viewing. Opening the Export Window 3. Open the Export window by clicking Export in the Reports tab. Configuring Export Options 4. With the Export window open, type the path and name to use for the exported report. Alternately, you can navigate to the folder and enter the filename by clicking the Browse button. 5. Configure the Delimiter, Export Type, Export Format, and Export Options. Export File Delimiter Export Type All Selected Export Format Text XLSX Export Options Overwrite Append Options The path and name to use for the exported report file. Delimiting character used to separate columns in the exported report. Export all report data currently in view. Export only the report rows selected. Export the report data to a text file. Export the report data to an excel spreadsheet. Overwrite the file specified in the Export File Field. If it does not exist, create a new file. Append the report data to the end of the file specified in the Export File Field. If the file does not exist, create a new file. Appending is not support for excel spreadsheets.

36 TRIFORCE ANJP USER S GUIDE Click Finish to export the report. Note While a report is being exported, you will be unable to perform additional tasks within ANJP. The amount of time it takes to export a report depends on how much data is being exported and what Export Format is used. Sending Reports to ElasticSearch Individual reports can be sent to a pre-existing ElasticSearch node using ANJP s ElasticSearch Connection and Send to esearch options. Note To use an ElasticSearch connection within ANJP, you must be connected to an ANJP database and have an existing ElasticSearch engine created, configured, functional, and accessible. Start ANJP 1. Open ANJP and go to the Reports tab. 2. Connect to a database. 3. From the Reports List, double-click a report to open it for viewing. Opening the ElasticSearch Connection Window 4. To open the ElasticSearch Connection window, go to Connections > ElasticSearch from the Menu bar. Connecting to a Node 5. Enter the node IP and port of the ElasticSearch service. 6. Click Connect to establish the connection. Note If ANJP is unable to establish a connection to ElasticSearch, a connection error message will be displayed.

37 TRIFORCE ANJP USER S GUIDE 37 Sending a Report to esearch 7. If a connection was successful, individual reports can be sent to ElasticSearch by right-clicking a report from the Reports List and clicking Send to esearch. Note If the connection attempt was not successful or a previously established connection has timed out, the Send to esearch option will be disabled.

38 TRIFORCE ANJP USER S GUIDE 38 Overview APPENDIX A: NTFS BASICS NTFS or New Technologies File System, was designed by Microsoft and is the default file system used by Windows NT and later. It is a complex file system designed with scalability, reliability, and security in mind. Everything is considered a file in NTFS, including directories. Three files within the file system that can be parsed by ANJP are: The $MFT, $LogFile, and $UsnJrnl:$J. The MFT The $MFT, or Master File Table, is used by NTFS to store information about the current state of all files within the file system. It contains MFT record entries for each file, and within each entry there are various data structures. Data Structures Parsed by ANJP from the MFT MFT Header Standard Information Attribute 0x10 File Name Attribute 0x30 Object ID Attribute 0x40 Data Attribute 0x80 The LogFile The $LogFile is a journal used by NTFS to record changes made to the file system structure and provides a historical view of changes that occurred within the file system. Each change is recorded in two states, a before (redo) and an after (undo). A redo contains the contents of the structure as it existed before the change takes place. An undo contains the changes that are being applied. If a change affects an MFT entry, the LogFile record for that change will contain the entire MFT data structure being changed. The records in the LogFile are volatile because they are stored in a circular manner. Once the max size of the LogFile is reached, older records get overwritten. Data Structures Parsed by ANJP from the LogFile LogFile Record LSN Record Header MFT Header Standard Information Attribute 0x10 File Name Attribute 0x30 Object ID Attribute 0x40 Data Attribute 0x80 Index Entry Attribute 0x90 The USN Journal The $UsnJrnl:$J, or USN Journal, is a journal used by NTFS to keep track of changes occurring to files and folders and provides a historical view of the changes that occurred.

39 TRIFORCE ANJP USER S GUIDE 39 Each USN Journal entry size and structure is consistent for all entries recorded, which unlike the records in the LogFile, can vary depending on the data structure that is being recorded. The USN Journal file can easily grow larger than 1 GB, but the actual data it contains is typically less than 64 MB. As the USN grows, new records are added to the end of the journal and old records are overwritten with zeros. The number of records that can be written to the end of the journal before getting overwritten by zeros, and how many records should be zeroed, is heavily dependent on how the USN Journal was initially configured. Extracting NTFS Files: MFT, LogFile, and USN 1. Using a tool that can access whole disk images, partitions, or drives, open the image or drive that contains the NTFS partition to be examined. 2. Navigate to the root of the partition, denoted.\. The $MFT and $LogFile are located here..\$mft.\$logfile 3. Extract the $MFT and $LogFile. 4. Navigate to the directory.\$extend. If the USN was enabled for this partition you will find the file $UsnJrnl in the.\$extend\ folder. The USN data of interest is attached to this file as an Alternate Data Stream : named $J. Note: If the USN was not enabled, the $UsnJrnl file will not be present..\$extend\$usnjrnl:$j 5. Extract the Alternate Data Stream named $J from the $UsnJrnl file. Note: If you extract the $UsnJrnl, you may not capture the alternate data stream, $J. You should isolate, select, and extract the alternate data stream $J directly to ensure that it is extracted properly.

40 [This page intentionally left blank.]

41 APPENDIX B: COLUMN REFERENCE MFT Reports MFT File Listing Column Name (GUI) Column Name (DB) Description Source Record Name r_name The MFT record filename and enumerated path. Includes records for filename attribute and named data structure. ANJP Enumeration MFT Hdr Entry Ref e_entry_ref MFT record reference number. Derived from the MFT record and sequence number. MFT Header MFT Hdr Entry # e_entry MFT record number. MFT Header MFT Hdr Seq # e_seq_num MFT record sequence number. MFT Header MFT Hdr Link Count e_link_cnt Number of hard links associated with this record. MFT Header MFT Hdr Flags e_flags MFT header flags. Values include: 'File', Folder, Unknown (1280)', Unknown (2304)', or Unknown (3328)'. MFT Header MFT Hdr Active e_active Allocation status of the entry: Allocated or Unallocated. MFT Header SIA Created Time sia_ctime Created time. Standard Information Attr 0x10 SIA Modified Time sia_mtime Modified time. Standard Information Attr 0x10 SIA MFT Mod Time sia_mftmtime MFT entry modified time. Standard Information Attr 0x10 SIA Accessed Time sia_atime Accessed time. Standard Information Attr 0x10 SIA Class ID sia_class_id Class ID. Standard Information Attr 0x10 SIA Owner ID sia_own_id The owner ID of file. Standard Information Attr 0x10 SIA Sec ID sia_sec_id Security ID. Standard Information Attr 0x10 SIA USN sia_usn Update Sequence Number. Standard Information Attr 0x10 FN Attr P Ref # fna_parent_ref MFT record reference number of parent. From the MFT record and sequence number of parent. File Name Attribute 0x30 FN Attr P Rcd # fna_parent_rcd MFT record number of parent. File Name Attribute 0x30 FN Attr P Seq # fna_parent_seq MFT record sequence number of parent. File Name Attribute 0x30 FN Attr Created Time fna_ctime Created time. File Name Attribute 0x30 FN Attr Modified Time fna_mtime Modified time. File Name Attribute 0x30 FN Attr MFT Mod Time fna_mftmtime MFT modified time. File Name Attribute 0x30 FN Attr Accessed Time fna_atime Accessed time. File Name Attribute 0x30 FN Attr Alloc Size fna_alloc_fsize Allocated size. File Name Attribute 0x30 FN Attr Real Size fna_real_fsize Real size. File Name Attribute 0x30 FN Attr Flags fna_flags_s File Name Attribute Flags File Name Attribute 0x30 FN Attr Name fna_name Filename. File Name Attribute 0x30 OI Attr Obj ID oia_object_id Unique ID assigned to record. Object ID Attribute 0x40 OI Attr Datetime oia_objid_datetime Date and time of ID. Object ID Attribute 0x40 OI Attr Version oia_objid_ver Version number. Object ID Attribute 0x40 OI Attr Birth Vol ID oia_birth_volume_id Volume where the file was created. Object ID Attribute 0x40 OI Attr Birth Obj ID oia_birth_object_id Original object ID of the file. Object ID Attribute 0x40 OI Attr Domain ID oia_domain_id Domain in which object was created. Object ID Attribute 0x40 Data Attr Resident dta_resident Resident flag: 0=Resident and 1 = Non-resident. Data Attribute 0x80 Data Attr VCN Start dta_vcn_start Starting Virtual Cluster Number. Data Attribute 0x80 Data Attr VCN Last dta_vcn_last Last Virtual Cluster Number. Data Attribute 0x80

42 TRIFORCE ANJP USER S GUIDE 42 MFT File Listing Report (Continued) Data Attr Runlist Off dta_runlist_ofs Offset of the runlist. Data Attribute 0x80 Data Attr Alloc Size dta_alloc_size Allocated size. Data Attribute 0x80 Data Attr Real Size dta_real_size Real size. Data Attribute 0x80 Data Attr Compressed Size dta_compressed_size Compressed size. Data Attribute 0x80 Data Attr Runlist dta_runlist Runlist for the file's data. Will be empty for resident files. Data Attribute 0x80 Data Attr Stream Name dta_stream_name Filename of Alternate Data Stream. Data Attribute 0x80 Data Attr Res. Data dta_resident_data If file is resident, the contents of the file within the MFT. Otherwise, this field will be empty. Data Attribute 0x80 Data Attr Res. Data String Ver dta_resident_data_text_only Contents of Data Attr Res. Data with non-printable characters removed by ANJP. ANJP Parsing MFT Filelist Hits Column Name (GUI) Column Name (DB) Description Source Record Name r_name The MFT record filename and enumerated path. Includes records for filename attribute and named data structure. ANJP Enumeration Filelist Evt ID mfle_event Name ID of the event that found the hit. ANJP Event Processing Filelist Evt Match mfle_filematch Term from the MFT Filelist that found the hit. ANJP Event Processing Filelist Evt List mfle_filelist Name of list where search term is included. ANJP Event Processing Filelist Evt Type mfle_type The type of match used to find the hit: Regex or String. ANJP Event Processing Filelist Evt Case mfle_case The case matching used to find the hit: Sensitive or Insensitive. ANJP Event Processing MFT Hdr Entry Ref e_entry_ref MFT record reference number. Derived from the MFT record and sequence number. MFT Header MFT Hdr Entry # e_entry MFT record number. MFT Header MFT Hdr Seq # e_seq_num MFT record sequence number. MFT Header SIA Created Time sia_ctime Created time. Standard Information Attr 0x10 SIA Modified Time sia_mtime Modified time. Standard Information Attr 0x10 SIA MFT Mod Time sia_mftmtime MFT entry modified time. Standard Information Attr 0x10 SIA Accessed Time sia_atime Accessed time. Standard Information Attr 0x10 FN Attr P Ref # fna_parent_ref MFT record reference number of parent. From the MFT record and sequence number of parent. File Name Attribute 0x30 FN Attr P Rcd # fna_parent_rcd MFT record number of parent. File Name Attribute 0x30 FN Attr P Seq # fna_parent_seq MFT record sequence number of parent. File Name Attribute 0x30 FN Attr Created Time fna_ctime Created time. File Name Attribute 0x30 FN Attr Modified Time fna_mtime Modified time. File Name Attribute 0x30 FN Attr MFT Mod Time fna_mftmtime MFT modified time. File Name Attribute 0x30 FN Attr Accessed Time fna_atime Accessed time. File Name Attribute 0x30 FN Attr Real Size fna_real_fsize Real size. File Name Attribute 0x30 FN Attr Flags fna_flags_s File Name Attribute Flags File Name Attribute 0x30 FN Attr Name fna_name Filename. File Name Attribute 0x30 Data Attr Res. Data dta_resident_data If file is resident, the contents of the file within the MFT. Otherwise, this field will be empty. Data Attribute 0x80 Data Attr Runlist dta_runlist Runlist for the file's data. Will be empty for resident files. Data Attribute 0x80 Data Attr Stream Name dta_stream_name Filename of Alternate Data Stream. Data Attribute 0x80 Data Attr Runlist Off dta_runlist_ofs Offset of the runlist. Data Attribute 0x80 Data Attr Resident dta_resident Resident flag: 0=Resident and 1 = Non-resident. Data Attribute 0x80

43 TRIFORCE ANJP USER S GUIDE 43 LogFile Reports File Interactions Column Name (GUI) Column Name (DB) Description Source LogFile Rcd Name chg_name Centralized column of the name of the file that the change is occurring to. LogFile RCRD LSN Redo Op_b lsn_redoop Redo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Redo Op lsn_redoop_s The decoded string format of the Redo Operation Code. See Redo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op_b lsn_undoop Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op lsn_undoop_s The decoded string format of the Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LogFile Rcd LSN chg_lsn The LSN record number associated with this operation. LogFile RCRD LogFile Rcd Target Rcd # chg_target_rec_num The MFT record number of the LSN data. LogFile RCRD LogFile Rcd Trans chg_trans The number of a transaction, 0 is the newest change. LogFile RCRD LogFile Rcd Attr Changes chg_attrib_changes Attribute affected by operation: begins with C=created, D=deleted, or U=Update. See Attribute Changes table for details. LogFile RCRD LogFile Rcd Data chg_data The type of data the change record contains: Redo, Undo, or Redo/Undo. LogFile RCRD LogFile Rcd Rcd Ref # chg_record_ref Used for record linkage LogFile RCRD LSN MFT Rcd # lsn_mftrcrdnum MFT Record Number (only populated if the LogFile operation affects an MFT Record). LogFile LSN RCRD Header FN Attr P Ref # fna_parent_ref MFT record reference number of parent. From the MFT record and sequence number of parent. File Name Attribute 0x30 FN Attr P Rcd # fna_parent_rcd MFT record number of parent. File Name Attribute 0x30 FN Attr P Seq # fna_parent_seq MFT record sequence number of parent. File Name Attribute 0x30 FN Attr Created Time fna_ctime Created time. File Name Attribute 0x30 FN Attr Modified Time fna_mtime Modified time. File Name Attribute 0x30 FN Attr MFT Mod Time fna_mftmtime MFT modified time. File Name Attribute 0x30 FN Attr Accessed Time fna_atime Accessed time. File Name Attribute 0x30 FN Attr Alloc Size fna_alloc_fsize Allocated size. File Name Attribute 0x30 FN Attr Real Size fna_real_fsize Real size. File Name Attribute 0x30 FN Attr Flags fna_flags_s File Name Attribute Flags File Name Attribute 0x30 FN Attr Name fna_name Filename. File Name Attribute 0x30 SIA Created Time sia_ctime Created time. Standard Information Attr 0x10 SIA Modified Time sia_mtime Modified time. Standard Information Attr 0x10 SIA MFT Mod Time sia_mftmtime MFT entry modified time. Standard Information Attr 0x10 SIA Accessed Time sia_atime Accessed time. Standard Information Attr 0x10 SIA Class ID sia_class_id Class ID. Standard Information Attr 0x10 SIA Owner ID sia_own_id The owner ID of file. Standard Information Attr 0x10 SIA Sec ID sia_sec_id Security ID. Standard Information Attr 0x10 SIA USN sia_usn Update Sequence Number. Standard Information Attr 0x10 Data Attr Resident dta_resident Resident flag: 0=Resident and 1 = Non-resident. Data Attribute 0x80 Data Attr VCN Start dta_vcn_start Starting Virtual Cluster Number. Data Attribute 0x80 Data Attr VCN Last dta_vcn_last Last Virtual Cluster Number. Data Attribute 0x80 Data Attr Alloc Size dta_alloc_size Allocated size. Data Attribute 0x80 Data Attr Real Size dta_real_size Real size. Data Attribute 0x80

44 TRIFORCE ANJP USER S GUIDE 44 LogFile File Interactions Report (Continued) Data Attr Compressed Size dta_compressed_size Compressed size. Data Attribute 0x80 Data Attr Runlist dta_runlist Runlist for the file's data. Will be empty for resident files. Data Attribute 0x80 Data Attr Stream Name dta_stream_name Filename of Alternate Data Stream. Data Attribute 0x80 Data Attr Res. Data dta_resident_data If file is resident, the contents of the file within the MFT. Otherwise, this field will be empty. Data Attribute 0x80 OI Attr Obj ID oia_object_id Unique ID assigned to record. Object ID Attribute 0x40 OI Attr Datetime oia_objid_datetime Date and time of ID. Object ID Attribute 0x40 OI Attr Version oia_objid_ver Version number. Object ID Attribute 0x40 OI Attr Birth Vol ID oia_birth_volume_id Volume where the file was created. Object ID Attribute 0x40 OI Attr Birth Obj ID oia_birth_object_id Original object ID of the file. Object ID Attribute 0x40 OI Attr Domain ID oia_domain_id Domain in which object was created. Object ID Attribute 0x40 IDX Attr File Ref # ie_mft_f_rcd MFT record number. Index Entry Attribute 0x90 IDX Attr File Rcd # ie_mft_f_ref MFT record reference number. Derived from the MFT record and sequence number of parent. Index Entry Attribute 0x90 IDX Attr File Seq # ie_mft_f_seq MFT record sequence number. Index Entry Attribute 0x90 IDX Attr P Ref # ie_mft_p_rcd MFT record number of parent. Index Entry Attribute 0x90 IDX Attr P Rcd # ie_mft_p_ref MFT reference number of parent. Derived from the MFT record and sequence number of the parent. Index Entry Attribute 0x90 IDX Attr P Seq # ie_mft_p_seq MFT record sequence number of parent. Index Entry Attribute 0x90 IDX Attr Created Time ie_c_dt Created time. Index Entry Attribute 0x90 IDX Attr Modified Time ie_m_dt Modified time. Index Entry Attribute 0x90 IDX Attr MFT Mod Time ie_mft_m_dt MFT modified time. Index Entry Attribute 0x90 IDX Attr Accessed Time ie_a_dt Accessed time. Index Entry Attribute 0x90 IDX Attr Alloc Size ie_alloc_size Allocated size. Index Entry Attribute 0x90 IDX Attr Real Size ie_real_size Real size. Index Entry Attribute 0x90 IDX Attr Flags ie_flags_s Index Entry File Attribute Flags Index Entry Attribute 0x90 IDX Attr Name ie_name Filename and enumerated path. Index Entry Attribute 0x90 USN Rcd Off ur_record_offset Offset of record within the USN Journal. USN Journal Entry USN Rcd Trans Count ur_transaction_count Transaction number of record. A new transaction starts after a 'Close' Reason. USN Journal Entry USN Rcd File Rcd # ur_file_rcd_num MFT record number. USN Journal Entry USN Rcd File Seq # ur_file_ref_num MFT record reference number. From the MFT record and sequence number of parent. USN Journal Entry USN Rcd File Ref # ur_file_seq_num MFT record sequence number. USN Journal Entry USN Rcd P Rcd # ur_parent_rcd_num MFT record number of parent. USN Journal Entry USN Rcd P Seq # ur_parent_ref_num MFT reference number of parent. From the MFT record and sequence number of the parent. USN Journal Entry USN Rcd P Ref # ur_parent_seq_num MFT record sequence number of parent. USN Journal Entry USN Rcd Time ur_datetime USN record date and time. USN Journal Entry USN Rcd Reason ur_reason_s The reason for the change. See USN Reason Codes table for possible values. USN Journal Entry USN Rcd Source Info ur_sourceinfo_s Source information. USN Journal Entry USN Rcd Sec ID ur_sec_id Security ID. USN Journal Entry USN Rcd File Attr ur_file_attribs_s USN File Attribute Flags USN Journal Entry USN Rcd File Name ur_file_name Name of file being changed. USN Journal Entry USN Rcd Type ur_event_type USN JOURNAL ENTRY if usn equals offset, will contain RECOVERED if offset does not match usn. ANJP Parsing

45 TRIFORCE ANJP USER S GUIDE 45 Overview Column Name (GUI) Column Name (DB) Description Source LSN Redo Op_b lsn_redoop Redo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Redo Op lsn_redoop_s The decoded string format of the Redo Operation Code. See Redo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op_b lsn_undoop Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op lsn_undoop_s The decoded string format of the Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LogFile Rcd Name chg_name Centralized column of the name of the file that the change is occurring to. LogFile RCRD LogFile Rcd Target Rcd # chg_target_rec_num The MFT record number of the LSN data. LogFile RCRD LogFile Rcd LSN chg_lsn The LSN record number associated with this operation. LogFile RCRD LogFile Rcd Trans chg_trans The number of a transaction, 0 is the newest change. LogFile RCRD FN Attr Created Time fna_ctime Created time. File Name Attribute 0x30 FN Attr Modified Time fna_mtime Modified time. File Name Attribute 0x30 FN Attr MFT Mod Time fna_mftmtime MFT modified time. File Name Attribute 0x30 FN Attr Accessed Time fna_atime Accessed time. File Name Attribute 0x30 FN Attr Real Size fna_real_fsize Real size. File Name Attribute 0x30 SIA Created Time sia_ctime Created time. Standard Information Attr 0x10 SIA Modified Time sia_mtime Modified time. Standard Information Attr 0x10 SIA MFT Mod Time sia_mftmtime MFT entry modified time. Standard Information Attr 0x10 SIA Accessed Time sia_atime Accessed time. Standard Information Attr 0x10 LogFile Rcd Trans Run chg_transrun The sequence of operations within a given transaction. Used for event processing. LogFile RCRD LogFile Rcd Attr Changes chg_attrib_changes Attribute affected by operation: C=created, D=deleted, or U=Update, followed by the attribute's hex representation. LogFile RCRD LogFile Rcd Data chg_data The type of data the change record contains: Redo, Undo, or Redo/Undo. LogFile RCRD FN Attr Fullname fna_full_name Filename and enumerated path. ANJP Enumeration + FNA 0x30 SIA Fullname sia_fullname Filename and enumerated path. ANJP Enumeration + SIA 0x10 Data Attr Stream Name dta_stream_name Filename of Alternate Data Stream. Data Attribute 0x80 LSN MFT Rcd # lsn_mftrcrdnum MFT Record Number (only populated if the LogFile operation affects an MFT Record). LogFile LSN RCRD Header FN Attr Namespace fna_namespace Filename namespace. Possible values include: 0=Posix, 1=Win32, 2=DOS. File Name Attribute 0x30 FN Attr Flags fna_flags_s File Name Attribute Flags File Name Attribute 0x30 SIA Log Op sia_logopp The operation type of the SI change: Redo or Undo. Standard Information Attr 0x10 FN Attr P Rcd # fna_parent_rcd MFT record number of parent. File Name Attribute 0x30 FN Attr P Seq # fna_parent_seq MFT record sequence number of parent. File Name Attribute 0x30 SIA Class ID sia_class_id Class ID. Standard Information Attr 0x10 SIA Owner ID sia_own_id The owner ID of file. Standard Information Attr 0x10 SIA Sec ID sia_sec_id Security ID. Standard Information Attr 0x10 SIA USN sia_usn Update Sequence Number. Standard Information Attr 0x10 Data Attr Runlist dta_runlist Runlist for the file's data. Will be empty for resident files. Data Attribute 0x80 OI Attr Obj ID oia_object_id Unique ID assigned to record. Object ID Attribute 0x40 OI Attr Datetime oia_objid_datetime Date and time of ID. Object ID Attribute 0x40 OI Attr Version oia_objid_ver Version number. Object ID Attribute 0x40 OI Attr Birth Vol ID oia_birth_volume_id Volume where the file was created. Object ID Attribute 0x40

46 TRIFORCE ANJP USER S GUIDE 46 LogFile Overview Report (Continued) OI Attr Birth Obj ID oia_birth_object_id Original object ID of the file. Object ID Attribute 0x40 OI Attr Domain ID oia_domain_id Domain in which object was created. Object ID Attribute 0x40 IDX Attr Created Time ie_c_dt Created time. Index Entry Attribute 0x90 IDX Attr Modified Time ie_m_dt Modified time. Index Entry Attribute 0x90 IDX Attr MFT Mod Time ie_mft_m_dt MFT modified time. Index Entry Attribute 0x90 IDX Attr Accessed Time ie_a_dt Accessed time. Index Entry Attribute 0x90 LogFile Events Column Name (GUI) Column Name (DB) Description Source LogFile Evt Type loge_type The type of event that found the match: Transaction or Change. ANJP Event Processing LogFile Evt ID loge_event_id The name (ID) of the event that found the match. From the Event Selection window. ANJP Event Processing LogFile Evt Hit loge_hit The count number of the hit. Each hit found increments the event signature's counter by one and assigns the count number to the hit. Two hits with the same number are associated. ANJP Event Processing LogFile Evt Rule File loge_rulesfile The event rules file that the hit's event signature belongs to. ANJP Event Processing LogFile Rcd Name chg_name Centralized column of the name of the file that the change is occurring to. LogFile RCRD LogFile Rcd Target Rcd # chg_target_rec_num The MFT record number of the LSN data. This is needed to maintain record number even for non-mft entry related items, such as IndexEntryAllocation Operations. LogFile RCRD LogFile Rcd LSN chg_lsn The LSN record number associated with this operation. LogFile RCRD LogFile Rcd Trans Run chg_transrun The sequence of operations within a given transaction. This is be used to look for specific transactional events such as creates, deletes, renames. LogFile Rcd Attr Changes chg_attrib_changes Attribute affected by operation: begins with C=created, D=deleted, or U=Update, followed by the attribute's hex representation. LogFile RCRD LogFile RCRD LogFile Rcd Data chg_data The type of data the change record contains: Redo, Undo, or Redo/Undo. LogFile RCRD LogFile Rcd Rcd Ref # chg_record_ref Used for record linkage LogFile RCRD LSN Redo Op_b lsn_redoop Redo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Redo Op lsn_redoop_s The decoded string format of the Redo Operation Code. See Redo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op_b lsn_undoop Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN Undo Op lsn_undoop_s The decoded string format of the Undo Operation Code. See Undo Operation Code table for possible values. LogFile LSN RCRD Header LSN MFT Rcd # lsn_mftrcrdnum MFT Record Number (only populated if the LogFile operation affects an MFT Record). LogFile LSN RCRD Header FN Attr P Ref # fna_parent_ref MFT record reference number of parent. From the MFT record and sequence number of parent. File Name Attribute 0x30 FN Attr P Rcd # fna_parent_rcd MFT record number of parent. File Name Attribute 0x30 FN Attr P Seq # fna_parent_seq MFT record sequence number of parent. File Name Attribute 0x30 FN Attr Created Time fna_ctime Created time. File Name Attribute 0x30 FN Attr Modified Time fna_mtime Modified time. File Name Attribute 0x30 FN Attr MFT Mod Time fna_mftmtime MFT modified time. File Name Attribute 0x30 FN Attr Accessed Time fna_atime Accessed time. File Name Attribute 0x30 FN Attr Alloc Size fna_alloc_fsize Allocated size. File Name Attribute 0x30 FN Attr Real Size fna_real_fsize Real size. File Name Attribute 0x30 FN Attr Flags fna_flags_s File Name Attribute Flags File Name Attribute 0x30 FN Attr Name Len fna_len_name Length of filename. File Name Attribute 0x30

47 TRIFORCE ANJP USER S GUIDE 47 LogFile Events Report (Continued) FN Attr Namespace fna_namespace Filename namespace. Possible values include: 0=Posix, 1=Win32, 2=DOS. File Name Attribute 0x30 FN Attr Name fna_name Filename. File Name Attribute 0x30 FN Attr Fullname fna_full_name Filename and enumerated path. ANJP Enumeration + FNA 0x30 SIA Created Time sia_ctime Created time. Standard Information Attr 0x10 SIA Modified Time sia_mtime Modified time. Standard Information Attr 0x10 SIA MFT Mod Time sia_mftmtime MFT entry modified time. Standard Information Attr 0x10 SIA Accessed Time sia_atime Accessed time. Standard Information Attr 0x10 SIA DOS sia_dos DOS file permissions. Standard Information Attr 0x10 SIA Max Ver sia_maxver Maximum number of versions. Standard Information Attr 0x10 SIA Ver sia_ver Version number. Standard Information Attr 0x10 SIA Class ID sia_class_id Class ID. Standard Information Attr 0x10 SIA Owner ID sia_own_id The owner ID of file. Standard Information Attr 0x10 SIA Sec ID sia_sec_id Security ID. Standard Information Attr 0x10 SIA Quota sia_quata Quota charged. Standard Information Attr 0x10 SIA USN sia_usn Update Sequence Number. Standard Information Attr 0x10 SIA Name sia_name Filename. Standard Information Attr 0x10 SIA Fullname sia_fullname Filename and enumerated path. ANJP Enumeration + SIA 0x10 SIA Log Op sia_logopp The operation type of the SI change: Redo or Undo. Standard Information Attr 0x10 Data Attr Resident dta_resident Resident flag: 0=Resident and 1 = Non-resident. Data Attribute 0x80 Data Attr Name Off dta_name_ofs Offset to filename. Data Attribute 0x80 Data Attr Name Len dta_name_length Length of filename. Data Attribute 0x80 Data Attr VCN Start dta_vcn_start Starting Virtual Cluster Number. Data Attribute 0x80 Data Attr VCN Last dta_vcn_last Last Virtual Cluster Number. Data Attribute 0x80 Data Attr Runlist Off dta_runlist_ofs Offset of the runlist. Data Attribute 0x80 Data Attr Alloc Size dta_alloc_size Allocated size. Data Attribute 0x80 Data Attr Real Size dta_real_size Real size. Data Attribute 0x80 Data Attr Compressed Size dta_compressed_size Compressed size. Data Attribute 0x80 Data Attr Runlist dta_runlist Runlist for the file's data. Will be empty for resident files. Data Attribute 0x80 Data Attr Stream Name dta_stream_name Filename of Alternate Data Stream. Data Attribute 0x80 Data Attr Res. Data dta_resident_data If file is resident, the contents of the file within the MFT. Otherwise, this field will be empty. Data Attribute 0x80 OI Attr Obj ID oia_object_id Unique ID assigned to record. Object ID Attribute 0x40 OI Attr Datetime oia_objid_datetime Date and time of ID. Object ID Attribute 0x40 OI Attr Version oia_objid_ver Version number. Object ID Attribute 0x40 OI Attr Domain ID oia_domain_id Domain in which object was created. Object ID Attribute 0x40 IDX Attr File Ref # ie_mft_f_rcd MFT record number. Index Entry Attribute 0x90 IDX Attr File Rcd # ie_mft_f_ref MFT record reference number. Derived from the MFT record and sequence number of parent. Index Entry Attribute 0x90 IDX Attr File Seq # ie_mft_f_seq MFT record sequence number. Index Entry Attribute 0x90 IDX Attr Size ie_indx_size Size of Index Attribute. Index Entry Attribute 0x90 IDX Attr Name Off ie_indx_nameofs Offset to filename. Index Entry Attribute 0x90 IDX Attr Idx Flags ie_flags_s Index Entry Attribute Flags Index Entry Attribute 0x90

48 TRIFORCE ANJP USER S GUIDE 48 LogFile Events Report (Continued) IDX Attr P Ref # ie_mft_p_rcd MFT record number of parent. Index Entry Attribute 0x90 IDX Attr P Rcd # ie_mft_p_ref MFT reference number of parent. Derived from the MFT record and sequence number of the parent. Index Entry Attribute 0x90 IDX Attr P Seq # ie_mft_p_seq MFT record sequence number of parent. Index Entry Attribute 0x90 IDX Attr Created Time ie_c_dt Created time. Index Entry Attribute 0x90 IDX Attr Modified Time ie_m_dt Modified time. Index Entry Attribute 0x90 IDX Attr MFT Mod Time ie_mft_m_dt MFT modified time. Index Entry Attribute 0x90 IDX Attr Accessed Time ie_a_dt Accessed time. Index Entry Attribute 0x90 IDX Attr Alloc Size ie_alloc_size Allocated size. Index Entry Attribute 0x90 IDX Attr Real Size ie_real_size Real size. Index Entry Attribute 0x90 IDX Attr Flags ie_flags_s Index Entry Attribute Flags Index Entry Attribute 0x90 IDX Attr Name Len ie_name_length Length of filename within Index Attribute. Index Entry Attribute 0x90 IDX Attr Name Type ie_name_type Name type. Index Entry Attribute 0x90 IDX Attr Name ie_name Filename and enumerated path. Index Entry Attribute 0x90 USN Rcd Off ur_record_offset Offset of record within the USN Journal. USN Journal Entry USN Rcd Trans Count ur_transaction_count Transaction number of record. A new transaction starts after a 'Close' Reason. USN Journal Entry USN Rcd Rcd Len ur_record_length Length of record. USN Journal Entry USN Rcd Major Ver ur_major_ver USN major version. USN Journal Entry USN Rcd Minor Ver ur_minor_ver USN minor version. USN Journal Entry USN Rcd File Rcd # ur_file_rcd_num MFT record number. USN Journal Entry USN Rcd File Seq # ur_file_ref_num MFT record reference number. From the MFT record and sequence number of parent. USN Journal Entry USN Rcd File Ref # ur_file_seq_num MFT record sequence number. USN Journal Entry USN Rcd P Rcd # ur_parent_rcd_num MFT record number of parent. USN Journal Entry USN Rcd P Seq # ur_parent_ref_num MFT reference number of parent. From the MFT record and sequence number of the parent. USN Journal Entry USN Rcd P Ref # ur_parent_seq_num MFT record sequence number of parent. USN Journal Entry USN Rcd Time ur_datetime USN record date amd time. USN Journal Entry USN Rcd Reason ur_reason_s The reason for the change. See USN Reason Codes table for possible values. USN Journal Entry USN Rcd Source Info ur_sourceinfo_s Source information. USN Journal Entry USN Rcd Sec ID ur_sec_id Security ID. USN Journal Entry USN Rcd File Attr ur_file_attribs_s USN File Attributes. USN Journal Entry USN Rcd Name Len ur_name_length Length of filename. USN Journal Entry USN Rcd Name Off ur_name_offset Offset of filename. USN Journal Entry USN Rcd File Name ur_file_name Name of file being changed. USN Journal Entry USN Rcd Type ur_event_type USN JOURNAL ENTRY if usn equals offset, will contain RECOVERED if offset does not match usn. ANJP Parsing

49 TRIFORCE ANJP USER S GUIDE 49 USN Reports USN Record Listing Column Name (GUI) Column Name (DB) Description Source USN Rcd File Name ur_file_name Name of file being changed. USN Journal Entry USN Extra Fullname ure_fullname Filename from USN Extra and enumerated path. ANJP Enumeration USN Rcd File Attr ur_file_attribs_s USN File Attribute Flags USN Journal Entry USN Rcd Reason ur_reason_s The reason for the change. See USN Reason Codes table for possible values. USN Journal Entry USN Rcd File Ref # ur_file_seq_num MFT record sequence number. USN Journal Entry USN Rcd P Ref # ur_parent_seq_num MFT record sequence number of parent. USN Journal Entry USN Rcd USN ur_usn Update Sequence Number. USN Journal Entry USN Rcd Off ur_record_offset Offset of record within the USN Journal. USN Journal Entry USN Rcd Trans Count ur_transaction_count Transaction number of record. A new transaction starts after a 'Close' Reason. USN Journal Entry USN Rcd Rcd Len ur_record_length Length of record. USN Journal Entry USN Rcd File Rcd # ur_file_rcd_num MFT record number. USN Journal Entry USN Rcd File Seq # ur_file_ref_num MFT record reference number. From the MFT record and sequence number of parent. USN Journal Entry USN Rcd P Rcd # ur_parent_rcd_num MFT record number of parent. USN Journal Entry USN Rcd P Seq # ur_parent_ref_num MFT reference number of parent. From the MFT record and sequence number of the parent. USN Journal Entry USN Rcd Time ur_datetime USN record date and time. USN Journal Entry USN Rcd Source Info ur_sourceinfo_s Source information. USN Journal Entry USN Rcd Sec ID ur_sec_id Security ID. USN Journal Entry USN Rcd Type ur_event_type USN JOURNAL ENTRY if usn equals offset, will contain RECOVERED if offset does not match usn. ANJP Parsing

50 TRIFORCE ANJP USER S GUIDE 50 USN Events Column Name (GUI) Column Name (DB) Description Source USN Evt Type usne_type The type of event that found the match: Transaction or Change. ANJP Event Processing USN Evt ID usne_event_id The name (ID) of the event that found the match. From the Event Selection window. ANJP Event Processing USN Evt Hit usne_hit The count number of the hit. Each hit found increments the event signature's counter by one and assigns the count number to the hit. Two hits with the same number are associated. ANJP Event Processing USN Evt Rule File usne_rulesfile The event rules file that the hit's event signature belongs to. ANJP Event Processing USN Rcd File Name ur_file_name Name of file being changed. USN Journal Entry USN Extra Fullname ure_fullname Filename from USN Extra and enumerated path. ANJP Enumeration USN Rcd File Attr ur_file_attribs_s USN File Attribute Flags USN Journal Entry USN Rcd Reason ur_reason_s The reason for the change. See USN Reason Codes table for possible values. USN Journal Entry USN Rcd File Ref # ur_file_seq_num MFT record sequence number. USN Journal Entry USN Rcd P Ref # ur_parent_seq_num MFT record sequence number of parent. USN Journal Entry USN Rcd USN ur_usn Update Sequence Number. USN Journal Entry USN Rcd Off ur_record_offset Offset of record within the USN Journal. USN Journal Entry USN Rcd Trans Count ur_transaction_count Transaction number of record. A new transaction starts after a 'Close' Reason. USN Journal Entry USN Rcd Rcd Len ur_record_length Length of record. USN Journal Entry USN Rcd File Rcd # ur_file_rcd_num MFT record number. USN Journal Entry USN Rcd File Seq # ur_file_ref_num MFT record reference number. From the MFT record and sequence number of parent. USN Journal Entry USN Rcd P Rcd # ur_parent_rcd_num MFT record number of parent. USN Journal Entry USN Rcd P Seq # ur_parent_ref_num MFT reference number of parent. From the MFT record and sequence number of the parent. USN Journal Entry USN Rcd Time ur_datetime USN record date and time. USN Journal Entry USN Rcd Source Info ur_sourceinfo_s Source information. USN Journal Entry USN Rcd Sec ID ur_sec_id Security ID. USN Journal Entry USN Rcd Type ur_event_type USN JOURNAL ENTRY if usn equals offset, will contain RECOVERED if offset does not match usn. ANJP Parsing

51 TRIFORCE ANJP USER S GUIDE 51 Other Reports Log2Timeline Column Name (GUI) Column Name (DB) Description Source L2T date l2t_date Date. ANJP Parsing L2T time l2t_time Time ANJP Parsing L2T macb l2t_macb MACB or legacy meaning of the fields, mostly for compatibility with the mactime format. (Not currently used) ANJP Parsing L2T timezone l2t_timezone Timezone used when parsing ANJP Parsing L2T source l2t_source LogFile, MFT, USN JOURNAL ENTRY ANJP Parsing L2T sourcetype l2t_sourcetype MFT: Blank, LogFile: redo operation undo operation, USN JOURNAL ENTRY Reason code ANJP Parsing L2T type l2t_type The type of timestamp: fna_ctime, fna_mtime, fna_mftmtime, fna_atime, sia_ctime, sia_mtime, sia_mftmtime, sia_atime, ie_c_dt, ie_m_dt, ie_mft_m_dt, ie_a_dt, ur_datetime ANJP Parsing L2T username l2t_username username associated with the entry, if one is available (Not used) ANJP Parsing L2T host l2t_host Host file where the record comes from. ANJP Parsing L2T short l2t_short Information about the record ANJP Parsing L2T description l2t_desc Contents of the record. ANJP Parsing L2T version l2t_version Log2Timeline Version ANJP Parsing L2T File Name l2t_filename Full filename. ANJP Parsing L2T Inode l2t_inode Entry number the record belongs to. ANJP Parsing L2T notes l2t_notes Information about the operation if available ANJP Parsing L2T Format l2t_format ANJP and version. ANJP Parsing L2T Extra l2t_extra Extra information. ANJP Parsing Events Summary Column Name (GUI) Column Name (DB) Description Source Evt Summary Type es_event_type The event signature's classification or to which NTFS file it applies to: MFT, LogFile, or USN. ANJP Event Processing Evt Summary Base es_event_base The type of signature or method used to search for hits: Transaction, Change, or File List. ANJP Event Processing Evt Summary ID es_event_id Event signature's name or ID. ANJP Event Processing Evt Summary Hits es_event_hits Total number of hits found by the event signature. ANJP Event Processing Evt Summary File es_file The file that contains the event signature. ANJP Event Processing

52 [This page intentionally left blank.]