File System Activity

Beyond proving that a program was executed, a thorough forensic investigation must answer a second fundamental question: What is the story of the files involved? This chapter transitions from execution artifacts to the records left within the file system itself. These artifacts reveal the complete lifecycle of a file—from its creation and modification to its eventual deletion—and are the key to uncovering attempts to conceal, alter, or destroy evidence.

We will explore the core components of the NTFS file system, which acts as its own meticulous record-keeper. Artifacts like the Master File Table ($MFT), the USN Journal ($UsnJrnl), and the $LogFile provide an unparalleled, low-level view of every transaction that occurs on a disk. They are the ultimate source of truth for file system events and are incredibly resilient to tampering.

This chapter will cover:

• The foundational databases of NTFS, such as the $MFT, which catalogs every file, and Index Attributes ($INDX), which organize directory contents.

• The chronological logs, like the USN Journal, that track every change, providing definitive proof of file creation, deletion, and renaming.

• Specialized logs like the $LogFile, which can reveal evidence of advanced anti-forensic techniques such as timestomping.

• System features that preserve historical data, including the Recycle Bin for standard deletions and Volume Shadow Copies (VSS), which act as "time capsules" for the entire file system.

• Hidden data structures like Alternate Data Streams (ADS), which can be abused to conceal malicious payloads within seemingly benign files.

Mastering the analysis of these artifacts is what elevates a screenshare from a simple search for suspicious files to a true forensic examination. It is in these records that the most sophisticated bypass attempts—such as file replacement, timestomping, and evidence clearing—are definitively exposed.