A Python script to parse the NTFS USN journal
Project description
Python script to parse the NTFS USN Change Journal
Description
The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend\$UsnJrnl:$J. usn.py is a script written in Python which parses the journal’s contents, and features several different output formats.
Default Output
With no command-line options set, usn.py will produce USN journal records in the format below:
dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND
Command-Line Options
optional arguments:
-h, --help show this help message and exit
-b, --body Return USN records in comma-separated format
-c, --csv Return USN records in comma-separated format
-f FILE, --file FILE Parse the given USN journal file
-q, --quick Parse a large journal file quickly
-s SYSTEM, --system SYSTEM
System name (use with -t)
-t, --tln TLN output (use with -s)
-v, --verbose Return all USN properties for each record (JSON)
–csv
Using the CSV flag will, as expected, provide results in CSV format. Using the –csv / -c option provides the same USN fields as default output:
Timestamp
Filename
File attributes
Reason
An example of what this looks like is below:
dev@computer:~$python usn.py --csv -f usnjournal -o /tmp/usn.txt dev@computer:~$ cat /tmp/usn.txt timestamp,filename,fileattr,reason 2015-10-09 21:37:58.836242,A75BFDE52F3DD8E6.dat,ARCHIVE NOT_CONTENT_INDEXED,DATA_EXTEND FILE_CREATE
–body
Using the –body / -b command-line flag, the script will output in mactime body format:
dev@computer:~$ python usn.py -f usnjournal --body 0|schedule log.xml (USN: DATA_EXTEND DATA_TRUNCATION CLOSE)|24603-1|0|0|0|0|1491238176|1491238176|1491238176|1491238176
–tln / -t
Using the –tln / -t command-line flag, the script will output in TLN body format:
dev@computer:~$ python usn.py -f usnjournal --tln 1491238176|USN|||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE
Add the –system / -s flag to specify a system name with TLN output:
dev@computer:~$ python usn.py -f usnjournal --tln --system ThisIsASystemName 1491238176|USN|ThisIsASystemName||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE
–verbose
Return all USN members for each record with the –verbose / -v flag. The results are JSON-formatted.
dev@computer:~$python usn.py --verbose -f usnjournal -o /tmp/usn.txt
dev@computer:~$cat /tmp/usn.txt
{
"majorVersion": 2,
"minorVersion": 0,
"fileReferenceNumber": 281474976744952,
"parentFileReferenceNumber": 844424930165539,
"usn": 47265504,
"timestamp": 1467312724,
"reason": "SECURITY_CHANGE",
"sourceInfo": 0,
"securityId": 0,
"fileAttributes": "HIDDEN SYSTEM ARCHIVE",
"filenameLength": 22,
"filenameOffset": 60,
"filename": "493fde4.rbf",
"humanTimestamp": "2016-06-30 18:52:04.456762",
"epochTimestamp": 1467312724,
"mftSeqNumber": 1,
"mftEntryNumber": 34296,
"pMftSeqNumber": 3,
"pMftEntryNumber": 33571
}
Installation
Using setup.py:
python setup.py install
Using pip:
pip install usnparser
Travis-CI |
|---|
|
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file usnparser-4.1.5.tar.gz.
File metadata
- Download URL: usnparser-4.1.5.tar.gz
- Upload date:
- Size: 6.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.4.2 requests/2.22.0 setuptools/45.2.0 requests-toolbelt/0.8.0 tqdm/4.30.0 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
84f0e7af8f975ee0f55366efef74324e2d500715e2ddc8a384d662b405706466
|
|
| MD5 |
ad53b6725432eeeb287735e3af26fb1d
|
|
| BLAKE2b-256 |
5d3212b558c2462d05442ab23f269a445e76c15a60404416e3a315947f12cc97
|
