USN-Journal-Parser Logo

USN-Journal-Parser

0
Free
Visit Website

The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend$UsnJrnl:$J. usn.py is a script written in Python which parses the journal's contents, and features several different output formats. Default Output With no command-line options set, usn.py will produce USN journal records in the format below: dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND Command-Line Options optional arguments: -h, --help show this help message and exit -b, --body Return USN records in comma-separated format -c, --csv Return USN records in comma-separated format -f FILE, --file FILE Parse the given USN journal file -q, --quick Parse a large journal file quickly -s SYSTEM, --system SYSTEM System name (use with -t) -t, --tln TLN output (use with -s) -v, --verbose Return all USN properties for each record (JSON) --csv Using the CSV f

FEATURES

ALTERNATIVES

A forensic tool to find hidden processes and TCP/UDP ports by rootkits or other hidden techniques.

A Python 2.x tool for memory analysis on Mac OS X systems with support for various OS versions and memory image export capabilities.

Tool for analyzing Windows Recycle Bin INFO2 file

dc3dd is a patch to the GNU dd program, tailored for forensic acquisition with features like hashing and file verification.

A modified version of GNU dd with added features like hashing and fast disk wiping.

A tool for discovering, analyzing, and remedying sensitive data

A tool for analyzing pentest screenshots using a convolutional neural network

A Windows Registry hive extraction library that reads and writes Windows Registry 'hive' binary files.