51. forensicinsight.org Page 51
$UsnJrnl ๊ตฌ์กฐ
๏ง Source Information ์ ๋ณด(http://msdn.microsoft.com/en-us/library/aa365722.aspx)
Flag Description
0x00 ์ฌ์ฉ์๊ฐ ๋ฐ์์ํจ ์ด๋ฒคํธ
0x01 ์ด์์ฒด์ ์ ์ํด ๋ฐ์ํ ์ด๋ฒคํธ
0x02 The operation adds a private data stream to a file or directory.
0x04 The operation creates or updates the contents of a replicated file.
52. forensicinsight.org Page 52
$UsnJrnl ๊ตฌ์กฐ
๏ง File Attribute ์ ๋ณด(http://msdn.microsoft.com/en-us/library/gg258117.aspx)
Value Description
0x01 ์ฝ๊ธฐ ์ ์ฉ ์์ฑ
0x02 ์จ๊น ์์ฑ
0x04 ์์คํ ํ์ผ
0x10 ๋๋ ํฐ๋ฆฌ
0x20 Archive ํ์ผ
0x40 ๋๋ฐ์ด์ค ํ์ผ
0x80 ์ผ๋ฐ ํ์ผ
0x100 ์์ ํ์ผ
0x200 Sparse ํ์ผ
0x400 Reparse ์์ฑ์ ๊ฐ์ง๊ณ ์๊ฑฐ๋ ์ฌ๋ณผ๋ฆญ ๋งํฌ ํ์ผ
0x800 ์์ถ๋จ
0x1000 This attribute indicates that the file data is physically moved to offline storage.
0x2000 ์ธ๋ฑ์ฑ ์๋จ
0x4000 ์ํธํ๋จ
0x8000 The directory or user data stream is configured with integrity (only supported on ReFS
volumes).
0x10000 ๊ฐ์ ํ์ผ
0x20000 The user data stream not to be read by the background data integrity scanner (AKA
scrubber).