[SOLVED] Windows 10 Journaling

[Wolfinch]

Want to know about windows 10 journaling.

Where is this "journal" take place?

For example, if I have C, D, E partition. The journal saved in C (system) only OR every partition have it's own journal?

And how to clear these journal record. All I know is we can delete USN journal with fsutil. But how about MFT and others?

OR MFT include in USN?

Need explanation about it. Thank you.

 

[USAFRet]

While I'm not a journaling expert, it is a function of NTFS.
As such, each NTFS partition would have its own journal (a log of file changes)

Why are you interested in clearing this log?

 

[Wolfinch]

While I'm not a journaling expert, it is a function of NTFS.
As such, each NTFS partition would have its own journal (a log of file changes)

Why are you interested in clearing this log?

Im learning about veracrypt encryption. In documentation, they saif journals can leak metadata of files stored inside encryption. The solution is encrypt full disk or use non journaling partition like Fat.

And I try to find other way like clearing journal when needed

 

[USAFRet]

fsutil would seem to be the only way. And that would be the whole journal, not individuals.

https://stackoverflow.com/questions/21968028/can-individual-entry-in-ntfs-usn-journal-be-deleted

What is your threat model where someone would be interested in knowing the changes of files within your encrypted volume?

 

[Wolfinch]

fsutil would seem to be the only way. And that would be the whole journal, not individuals.

So, it includes MFT and others?

What is your threat model where someone would be interested in knowing the changes of files within your encrypted volume?

Don't have threat models. It's just my technical curiousity.

And I confuse about metadata journaling and veracrypt container. Example: I change "test.docx" INSIDE container. What data recorded in journaling?

1. It record that "test.docx" have changed (File name literally appear/recorded in journal)

OR

2. It only record that there's a change in "CONTAINER", without knowing file name that change inside (test.docx)

 

[USAFRet]

As said, I'm not a journaling expert.
I don't know the answers to those.

 

[Satan-IR]

As far as I know about VeraCrypt, if you store a file-hosted VeraCrypt container in a journaling file system (like NTFS), a copy of the VeraCrypt container (or copy of parts of it) may remain in the free space on the host volume.

So if you're concerned about possible leaks and security implications of this you should not store file-hosted VeraCrypt containers in journaling file systems. To prevent these leaks or possible security breaches you have to either:

1- Use a partition/device-hosted VeraCrypt volume instead of file-hosted. That is use VeraCrypt to encrypt a physical partition or whole drive.

2- If you want to go the file-hosted container encyption you should store the container in a non-journaling file system (like FAT32).

 

[Wolfinch]

As far as I know about VeraCrypt, if you store a file-hosted VeraCrypt container in a journaling file system (like NTFS), a copy of the VeraCrypt container (or copy of parts of it) may remain in the free space on the host volume.

So if you're concerned about possible leaks and security implications of this you should not store file-hosted VeraCrypt containers in journaling file systems. To prevent these leaks or possible security breaches you have to either:

1- Use a partition/device-hosted VeraCrypt volume instead of file-hosted. That is use VeraCrypt to encrypt a physical partition or whole drive.

2- If you want to go the file-hosted container encyption you should store the container in a non-journaling file system (like FAT32).

Yes, I already read that documentation... But I'm curious, can deleting usn journal be a solution for this leak issue?

And about second point, place container inside non journaling partition. Can I use exfat partition with windows 10? Like:

C: NTFS
D: NTFS
E: ExFat <<== I will keep container here

Because i heard that exfat have issue, it can corrupt data inside it.

 

[USAFRet]

Yes, I already read that documentation... But I'm curious, can deleting usn journal be a solution for this leak issue?

And about second point, place container inside non journaling partition. Can I use exfat partition with windows 10? Like:

C: NTFS
D: NTFS
E: ExFat <<== I will keep container here

Because i heard that exfat have issue, it can corrupt data inside it.

Its not a "leak issue", unless someone is actively targeting your system, for whatever data you have in it.
And with direct hands on access.

It doesn't just randomly send out info to the interwebs.

 

[Satan-IR]

Yes, I already read that documentation... But I'm curious, can deleting usn journal be a solution for this leak issue?

And about second point, place container inside non journaling partition. Can I use exfat partition with windows 10? Like:

C: NTFS
D: NTFS
E: ExFat <<== I will keep container here

Because i heard that exfat have issue, it can corrupt data inside it.

I wouldn't worry about that "leak" unless I am target of active surveilence/espionage or I'm worried about Plausible Deniability being in effect. I'm not a target and not concerned about PD either so there's nothing to worry about. It's not like the journal dials home to talk to relatives and randomly dropping hints about the metadata.

Yes deleting journals would remove the records but again, there is no "leak" to begin with.

You can format a partition/volume as exFAT and use it in Windows 10 (using DiskPart or 3td party tools) but although it's what you're looking for, lacking journaling makes a file sysem more vulnerable to data corruption and those logs (journals) make fixing data corruptions easier.

 

[Wolfinch]

I wouldn't worry about that "leak" unless I am target of active surveilence/espionage or I'm worried about Plausible Deniability being in effect. I'm not a target and not concerned about PD either so there's nothing to worry about. It's not like the journal dials home to talk to relatives and randomly dropping hints about the metadata.

Same like me, I keep sensitive information like password hint inside it, so I'm not their target too. But it's pure my "technical" curiousity.

Yes deleting journals would remove the records but again, there is no "leak" to begin with.

All of them? We can clear all of ntfs journal with command fsutil usn? including mft and other journaling type?

You can format a partition/volume as exFAT and use it in Windows 10 (using DiskPart or 3td party tools) but although it's what you're looking for, lacking journaling makes a file sysem more vulnerable to data corruption and those logs (journals) make fixing data corruptions easier.

Well, its bad. Looks like i'll stick to delete journal option

And I confuse about metadata journaling and veracrypt container. Example: I change "test.docx" INSIDE container. What data recorded in journaling?

1. It record that "test.docx" have changed (File name literally appear/recorded in journal)

OR

2. It only record that there's a change in "CONTAINER", without knowing file name that change inside (test.docx)

And how about it? You know something?

 

[Satan-IR]

Same like me, I keep sensitive information like password hint inside it, so I'm not their target too. But it's pure my "technical" curiousity.

Again if you think you'd be a target and somebody would actively try to decrypt the data such as password hints they're safer witten on paper not kept as digital data on the computer.

All of them? We can clear all of ntfs journal with command fsutil usn? including mft and other journaling type?

As far as I know you can delete or disable journaling and change journals with fsutil but that can have a big negative impact on any application using them to operate. If you disable or delete active change journal all entries in master file table (MFT) are changed to zero. I don't think you can actually get rid of MFT entirely, if that's what you're asking.

Well, its bad. Looks like i'll stick to delete journal option

I personally would not worry about it or just encrypt the whole partition/volume with VeraCrypt instead of having a file container on it. You can also have an external storage (like USB flash drive) formatted in exFAT and put your "sensitive data" on it and encrypt that with VeraCrypt.

And how about it? You know something?

As fas as I know, files and directories and such objects are created/added, deleted, and modified (edited), the NTFS put records of the changes into the USN change journal. Each record indicates the type of change and the object changed. So basically it should include the file name and the kind of change made to it.

 

[Wolfinch]

You can also have an external storage (like USB flash drive) formatted in exFAT

So ExFat is fine with usb removeable drive?

 

[Satan-IR]

So ExFat is fine with usb removeable drive?

Fine as in it can be done and used on Windows? Yes it's fine.
Does it have journaling? No it doesn't.

You can follow link with instructions on how to how to format USB drive with exFAT in Windows. Beware that the format would destroy data/files already on the USB flash, so before you format the USB drive if you need the data backup to other storage media.

 

[Wolfinch]

Fine as in it can be done and used on Windows? Yes it's fine.
Does it have journaling? No it doesn't.

You can follow link with instructions on how to how to format USB drive with exFAT in Windows. Beware that the format would destroy data/files already on the USB flash, so before you format the USB drive if you need the data backup to other storage media.

Fine as "data corruption" I mean. Like you said before, exfat vulnerable to data corruption

 

[Satan-IR]

Fine as "data corruption" I mean. Like you said before, exfat vulnerable to data corruption

I think I could have worded that better. It's not that exFAT is more prone to corruption per se.

In case of data corruption, if a file system is journaled, the journaling logs can help fix the whole fixing process. There's no journaling like NTFS in exFAT so corruptions that pertain to file tables and changes to files and such are not as easily fixed as NTFS.

 

[Wolfinch]

I think I could have worded that better. It's not that exFAT is more prone to corruption per se.

In case of data corruption, if a file system is journaled, the journaling logs can help fix the whole fixing process. There's no journaling like NTFS in exFAT so corruptions that pertain to file tables and changes to files and such are not as easily fixed as NTFS.

Oh i got it now, thanks for all your explanation

 

[Satan-IR]

No problem, glad to help.