Determining removal of forensic artefacts using the USN change journal

Programs which remove forensic artefacts can be a hindrance to forensics investigators and proving their use can often be difficult as can the use of “private browsing” modes available in many Internet browsers. In this paper we examine the ways in which the Update Sequence Number (USN) Journal file can be used to show signs that such software or modes of operation have been used. The USN journal provides, when NTFS journalling is enabled, a list of transactions relating to files on the volume. This includes a list of all file creations, renames and deletions. By examining this journal after the use of common programs designed to remove artefacts or prevent artefacts from being created, we can see that there are patterns within the journals which can be used to detect such activity. Specifically references to the creation of or access to prefetch files for the Internet Explorer browser and large numbers deletions are consistent with InPrivate browsing being used. The use of the CCleaner software also creates distinctive patterns within the USN journal.