USN-Journal-Parser Logo

USN-Journal-Parser

0
Free
Visit Website

The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend$UsnJrnl:$J. usn.py is a script written in Python which parses the journal's contents, and features several different output formats. Default Output With no command-line options set, usn.py will produce USN journal records in the format below: dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND Command-Line Options optional arguments: -h, --help show this help message and exit -b, --body Return USN records in comma-separated format -c, --csv Return USN records in comma-separated format -f FILE, --file FILE Parse the given USN journal file -q, --quick Parse a large journal file quickly -s SYSTEM, --system SYSTEM System name (use with -t) -t, --tln TLN output (use with -s) -v, --verbose Return all USN properties for each record (JSON) --csv Using the CSV f

FEATURES

ALTERNATIVES

ShadowCopy Analyzer is a tool for cybersecurity researchers to analyze and utilize the ShadowCopy technology for file recovery and system restoration.

MalConfScan is a Volatility plugin for extracting configuration data of known malware and analyzing memory images.

A reliable end-to-end DFIR solution for boosting cyber incident response and forensics capacity.

Educational CTF-styled challenges for Memory Forensics.

ForensicMiner, Redefine DFIR Automations

A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.

A library to access and read QEMU Copy-On-Write (QCOW) image file formats with support for zlib compression and AES-CBC encryption.

A forensic analysis tool that extracts and parses logs, notifications, and system information from iOS/iPadOS devices and backups.

PINNED