NTFS USN Journal and ObjectID

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Enable USN Journal on sample NTFS volumes and Copy Example.jpg to the Pictures folder.

f:id:hideakii:20180819192719p:plain

Check the status of ObjectID, ObjectID is not set.

f:id:hideakii:20180819193135p:plain

Using USN Analytics, parse $J and check the USN journal record.

f:id:hideakii:20180819193924p:plain

f:id:hideakii:20180819193934p:plain

Open the Example.jpg file from the Photos application.

f:id:hideakii:20180819194312p:plain

The ObjectID is set by the operation that opened the file. (Create LNK file in Recent folder)

f:id:hideakii:20180819194434p:plain

You can confirm that USN_REASON_OBJECT_ID_CHANGE is recorded in the USN Journal.

f:id:hideakii:20180819195224p:plain

Delete the ObjectID.

f:id:hideakii:20180819195658p:plain

USN Journal will record USN_REASON_OBJECT_ID_CHANGE, but I can not identify that it was deleted.

f:id:hideakii:20180819200117p:plain

USN Analytics will output records containing ObjectID to usn_analytics_opened.csv.

f:id:hideakii:20180820175110p:plain

<2018/8/26 added>

It explains the ObjectID when the file is not opened.

This video is very helpful.

</add>

by the way,
The author(@4n6ist) of USN Analytics is the #OSDFcon speaker.
I am looking forward to his new presentation!!

f:id:hideakii:20180819192043p:plain

@port139 Blog