Timestamp and USN_REASON_BASIC_INFO_CHANGE
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
My question is
Can I find timestamp changes using USN Journal?
Let's try it.
Enable USN Journal with volume E :.
Copy the sample JPEG file to the E: drive, using the explorer.
Use Autopsy to check the time stamps of $SIA and $ FN.
The record containing "Basic info change" appeared twice.
Use Powershell to change the timestamp of LastWriteTime.
In the figure below, it is easy to confirm that "Basic info change" has been changed. Unfortunately, I can not identify that the timestamp value has changed.
What happens if I unzip the ZIP file? I created a compressed file using 7zip and expanded it from explorer.
A record of "Data extend | File create | Close" is recorded, followed by a record of "Basic info change".
Next, unzip the ZIP file using 7zip and check the time stamp.
In the case of 7zip, I was able to confirm the same output result as when copying files in Explorer.
Move the sample JPEG file on the C: drive to the E: drive and check the time stamp.
There was an ObjectID. It was different from my expectation.
Try again with a file that does not have an ObjectID.
I forgot to confirm the pattern when I created a new file.
When creating a new file, "Basic info change" is not recorded.
Open the file with Notepad.exe and update the content.
I updated the file, but "Basic info change" is not recorded.
I need to test more patterns.
Verification environment: Windows 10 1083
Reference URL:
https://www.jpcert.or.jp/present/2018/JSAC2018_03_yamazaki.pdf
GitHub - jschicht/SetMace: Manipulate timestamps on NTFS
