USN-Journal-Parser Logo

USN-Journal-Parser

0
Free
Visit Website

The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend$UsnJrnl:$J. usn.py is a script written in Python which parses the journal's contents, and features several different output formats. Default Output With no command-line options set, usn.py will produce USN journal records in the format below: dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND Command-Line Options optional arguments: -h, --help show this help message and exit -b, --body Return USN records in comma-separated format -c, --csv Return USN records in comma-separated format -f FILE, --file FILE Parse the given USN journal file -q, --quick Parse a large journal file quickly -s SYSTEM, --system SYSTEM System name (use with -t) -t, --tln TLN output (use with -s) -v, --verbose Return all USN properties for each record (JSON) --csv Using the CSV f

FEATURES

ALTERNATIVES

A library to access the Extensible Storage Engine (ESE) Database File (EDB) format used in various Windows applications.

Collects and organizes Linux OS data for detailed analysis and incident response.

A tool with advanced filtering capabilities for analyzing events based on time, path, weekday, and date.

NBD is a userland implementation of the Network Block Device protocol, allowing for remote access to block devices over a network.

A tool for creating compact Linux memory dumps compatible with popular debugging tools.

Customizable live OS constructor tool for remote forensics and incident response.

A tool for collecting and analyzing screenshots from remote desktop protocols, web applications, and VNC connections.

A powerful reverse engineering framework