Triforce ANJP NTFS Journal Parser

$599.00

Triforce ANJP allows examiners to view file system activity stored within the system journals of an NTFS volume. Take a time-machine into the past to reveal the states of files and folders, including their location, size, name and more at specific points in the past. Zero in on historical file system activity such as file and folder creations, deletions, renames, moves, and much more using our event signatures. Retrieve file metadata that was lost due to overwriting or the use of anti-forensics techniques.

SKU: 0001 Category:

Description

Take a journey into the historical structure of the file system. TriForce ANJP provides a unique way of linking information stored in the MFT, LogFile, and USN, in an easy to use and powerful interface. View not only the current state of the file system structure, but also historical changes that have been logged in the LogFile and USN, giving additional insight into previous locations and names of files and folders.

Zero in on specific types of historical file changes with TriForce ANJP Event Signatures. The LogFile, and USN can contain copious amounts of information. Manually sorting through hundreds of thousands of parsed records, and more importantly, understanding what the records mean could be resource intensive. ANJP does the work for you by searching for event signatures to reveal various kinds of file system activity such as file and folder creations, deletions, renames, moves, cd burns, LNK and prefetch deletions, ADS creations, virus infections, and much more.

Track past changes that relate to a specific file. TriForce ANJP parses and links information allowing an examiner to track multiple changes that occurred to a specific file. For example, by filtering for a file’s MTF reference number in an ANJP events report, you can track changes that occurred to the file such as, its creation, renaming, moving (within the same partition), deletion, and more.

For the first time the ambiguity of spoliation can be removed.

Export report data to increase analyzing capabilities. ANJP provides options for exporting entire reports, filtered reports, or only selected data to .XLSX, .TXT file. Connect to an ElasticSearch node if available for additional analysis.

This is a powerful new tool in the examiner’s toolkit.

Features

  • Recover historical metadata and full paths of files and folders throughout the LogFile and USN Journal
  • View timestamp anomalies in the LogFile where timestamps are set back or zeroed out
  • View timestamp anomalies in the MFT where timestamps are zeroed out or a Standard Information Attribute timestamp is less than that from the File Name Attribute timestamp
  • Quickly identify items of interest with the use of MFT, LogFile, and USN signatures
  • Create your own custom MFT file lists to search for matching filenames or full paths of entries parsed from the MFT
  • Review records in various ANJP Report Views
  • Create and apply custom filters to ANJP Report Views
  • Export reports to XLSX or TXT
  • Send a report directly to ElasticSearch