In Windows, what is the USN Change Journal and what is it used for in forensics?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards

From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

In Windows, what is the USN Change Journal and what is it used for in forensics?

The USN Change Journal is an NTFS feature that records changes to files and directories, capturing events like creations, deletions, renames, and metadata or content updates. In forensics, this journal provides a chronological record of what happened on a volume, allowing investigators to reconstruct a timeline of file activity, identify when specific files were created, moved, modified, or removed, and correlate those events with other evidence. It’s read by forensic tools to build a sequence of actions on the filesystem, even if the actual files have since changed or been deleted. It isn’t a log of network connections, it doesn’t store user passwords, and it doesn’t manage registry hives, so those options don’t describe its purpose.

In Windows, what is the USN Change Journal and what is it used for in forensics?

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

In Windows, what is the USN Change Journal and what is it used for in forensics?

Get the latest from Examzify