journal location

Does anyone happen to know where the journal is located on the xp x64's
ntfs filesystem? I can't find anything the says. I have a ntfs forensics pdf
too. Does it vary? I would like to zero it out after getting rid of soe
things I might not want to recover.

Bill

Bill Cunningham wrote:
Does anyone happen to know where the journal is located on the xp x64's
ntfs filesystem? I can't find anything the says. I have a ntfs forensics pdf
too. Does it vary? I would like to zero it out after getting rid of soe
things I might not want to recover.

Bill



https://en.wikipedia.org/wiki/Ntfs

uses the NTFS Log ($LogFile) to record metadata changes to the volume.
allow easy rollback of uncommitted changes to these critical data
structures when the volume is remounted.

The USN Journal (Update Sequence Number Journal) is a system management
feature that records (in $Extend$UsnJrnl) changes to files, streams and
directories on the volume

The $LogFile and $Extend$UsnJrnl should be list-able with the nfi.exe
utility. It will tell you what sectors store the two files.

The first file is for rollback.

The second file, things like search programs can get information
on what files were added to a volume, to keep their file list
up-to-date. I don't know if that second file is used for
rollback or not. Maybe it is.

Paul

Bill Cunningham wrote:

Does anyone happen to know where the journal is located on the xp
x64's ntfs filesystem? I can't find anything the says. I have a ntfs
forensics pdf too. Does it vary? I would like to zero it out after
getting rid of soe things I might not want to recover.

Look into how to use the 'fsutil' command. That's where I usually start
regarding how to disable/enable journaling. I think what you want to
look at is "fsutil usn deletejournal ...". As with anything dealing
with the file system, be careful what you do. Practice on a test host,
not your critical host.

"Paul" wrote in message
...
Bill Cunningham wrote:
Does anyone happen to know where the journal is located on the xp
x64's ntfs filesystem? I can't find anything the says. I have a ntfs
forensics pdf too. Does it vary? I would like to zero it out after
getting rid of soe things I might not want to recover.

Bill



https://en.wikipedia.org/wiki/Ntfs

uses the NTFS Log ($LogFile) to record metadata changes to the volume.
allow easy rollback of uncommitted changes to these critical data
structures when the volume is remounted.

The USN Journal (Update Sequence Number Journal) is a system management
feature that records (in $Extend$UsnJrnl) changes to files, streams and
directories on the volume

The $LogFile and $Extend$UsnJrnl should be list-able with the nfi.exe
utility. It will tell you what sectors store the two files.

The first file is for rollback.

The second file, things like search programs can get information
on what files were added to a volume, to keep their file list
up-to-date. I don't know if that second file is used for
rollback or not. Maybe it is.

Paul

Thanks much Paul. Just what I need.

"VanguardLH" wrote in message
...
Bill Cunningham wrote:

Does anyone happen to know where the journal is located on the xp
x64's ntfs filesystem? I can't find anything the says. I have a ntfs
forensics pdf too. Does it vary? I would like to zero it out after
getting rid of soe things I might not want to recover.

Look into how to use the 'fsutil' command. That's where I usually start
regarding how to disable/enable journaling. I think what you want to
look at is "fsutil usn deletejournal ...". As with anything dealing
with the file system, be careful what you do. Practice on a test host,
not your critical host.

The main reason I use ntfs on a 200GB HD is because of the encyption. I
don't know how good it is. Entropy wise and such or how and where the system
gets its' entropy. But it seems easier to keep up fragmentation wise too.
But fat32 is not bad in defragging on a system this size. As I am sure all
know the old fats are my favorite. So I'll stop there. Btw is this resilent
file system out? Where did or when will it make its' debut.

Bill

"Paul" wrote in message
...
Bill Cunningham wrote:
Does anyone happen to know where the journal is located on the xp
x64's ntfs filesystem? I can't find anything the says. I have a ntfs
forensics pdf too. Does it vary? I would like to zero it out after
getting rid of soe things I might not want to recover.

Bill



https://en.wikipedia.org/wiki/Ntfs

uses the NTFS Log ($LogFile) to record metadata changes to the volume.
allow easy rollback of uncommitted changes to these critical data
structures when the volume is remounted.

The USN Journal (Update Sequence Number Journal) is a system management
feature that records (in $Extend$UsnJrnl) changes to files, streams and
directories on the volume

The $LogFile and $Extend$UsnJrnl should be list-able with the nfi.exe
utility. It will tell you what sectors store the two files.

The first file is for rollback.

The second file, things like search programs can get information
on what files were added to a volume, to keep their file list
up-to-date. I don't know if that second file is used for
rollback or not. Maybe it is.

I'm not exacly sure what you mean by "rollback". Are you meaning the XP
restore functionality? So details of every file is stored in this part of
the filesystem? And it's more than maetadata but specifics?

Bill

Bill Cunningham wrote:
"Paul" wrote in message
...
Bill Cunningham wrote:
Does anyone happen to know where the journal is located on the xp
x64's ntfs filesystem? I can't find anything the says. I have a ntfs
forensics pdf too. Does it vary? I would like to zero it out after
getting rid of soe things I might not want to recover.

Bill


https://en.wikipedia.org/wiki/Ntfs

uses the NTFS Log ($LogFile) to record metadata changes to the volume.
allow easy rollback of uncommitted changes to these critical data
structures when the volume is remounted.

The USN Journal (Update Sequence Number Journal) is a system management
feature that records (in $Extend$UsnJrnl) changes to files, streams and
directories on the volume

The $LogFile and $Extend$UsnJrnl should be list-able with the nfi.exe
utility. It will tell you what sectors store the two files.

The first file is for rollback.

The second file, things like search programs can get information
on what files were added to a volume, to keep their file list
up-to-date. I don't know if that second file is used for
rollback or not. Maybe it is.

I'm not exacly sure what you mean by "rollback". Are you meaning the XP
restore functionality? So details of every file is stored in this part of
the filesystem? And it's more than maetadata but specifics?

Bill

It's file system metadata, such as the names of files added or removed.
It would help with repairing the file system, if the dirty bit was
set for example. As it would indicate what files were supposed to be
committed or removed or whatever. It doesn't have the file contents
in it. If it did, that would cut your I/O rate in half (writing the
same stuff in two places).

I don't know how that stuff works, only at the barest
conceptual level.

Paul