MFT, USN Journal, $LogFile

A place to discuss data and privacy protection, file and disk wipe, computer cleaning, and removing traces of user activity with R-Wipe & Clean.
Forum rules
Discussion on the R-Wipe & Clean and R-Crypto software
rwiper

MFT, USN Journal, $LogFile

Post by rwiper » Fri Oct 25, 2019 4:57 am

R-TT Team, Please Do

Traces in MFT

Traces in USN Journal

Traces in $LogFile

Image

rwiper

_OnDiskSnapshotProp files

Post by rwiper » Sun Oct 27, 2019 5:15 pm

{GUID}_OnDiskSnapshotProp files, in the \System Volume Information\SPP\OnlineMetadataCache are another file type that can provide information about shadow copies. You have pointed these out on your blog this past week. The GUID portion of the file name will match the GUID of the shadow copy set ID that you see when you run VSSadmin.exe. The file created date of the {GUID}_OnDiskSnapshotProp file will closely, but not exactly, match the date of the corresponding shadow copy. As shown below, examining the internals of a {GUID}_OnDiskSnapshotProp file will indicate the the date and time of a shadow copy within a few seconds to a minute, as well as the reason the shadow copy was created.

Image


C:\System Volume Information\
-Syscache.hve
-Syscache.hve.LOG1
-Syscache.hve.LOG2
-tracking.log
-MountPointManagerRemoteDatabase

C:\System Volume Information\SPP\OnlineMetadataCache
*._OnDiskSnapshotProp


MORE INFO
https://www.hecfblog.com/2014/06/daily- ... inner.html

Alt
Site Moderator
Posts: 2510
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: MFT, USN Journal, $LogFile

Post by Alt » Mon Oct 28, 2019 12:35 pm

Thank you for your suggestions. I've passed them to our developers.

Post Reply