Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

A Python script to parse the NTFS USN journal

Project Description

Python script to parse the NTFS USN Change Journal

Description

The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend\$UsnJrnl:$J. usn.py is a script written in Python which parses the journal’s contents, and features several different output formats.

Default Output

With no command-line options set, usn.py will produce USN journal records in the format below:

dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt
dev@computer:$ cat /tmp/usn.txt

2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE  | DATA_OVERWRITE DATA_EXTEND

Command-Line Options

optional arguments:
  -h, --help            show this help message and exit
  -b, --body            Return USN records in comma-separated format
  -c, --csv             Return USN records in comma-separated format
  -f FILE, --file FILE  Parse the given USN journal file
  -q, --quick           Parse a large journal file quickly
  -s SYSTEM, --system SYSTEM
                        System name (use with -t)
  -t, --tln             TLN output (use with -s)
  -v, --verbose         Return all USN properties for each record (JSON)

–csv

Using the CSV flag will, as expected, provide results in CSV format. Using the –csv / -c option provides the same USN fields as default output:

  • Timestamp
  • Filename
  • File attributes
  • Reason

An example of what this looks like is below:

dev@computer:~$python usn.py --csv -f usnjournal -o /tmp/usn.txt
dev@computer:~$ cat /tmp/usn.txt

timestamp,filename,fileattr,reason
2015-10-09 21:37:58.836242,A75BFDE52F3DD8E6.dat,ARCHIVE NOT_CONTENT_INDEXED,DATA_EXTEND FILE_CREATE

–body

Using the –body / -b command-line flag, the script will output in mactime body format:

dev@computer:~$ python usn.py -f usnjournal --body

0|schedule log.xml (USN: DATA_EXTEND DATA_TRUNCATION CLOSE)|24603-1|0|0|0|0|1491238176|1491238176|1491238176|1491238176

–tln / -t

Using the –tln / -t command-line flag, the script will output in TLN body format:

dev@computer:~$ python usn.py -f usnjournal --tln

1491238176|USN|||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE

Add the –system / -s flag to specify a system name with TLN output:

dev@computer:~$ python usn.py -f usnjournal --tln --system ThisIsASystemName

1491238176|USN|ThisIsASystemName||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE

–verbose

Return all USN members for each record with the –verbose / -v flag. The results are JSON-formatted.

dev@computer:~$python usn.py --verbose -f usnjournal -o /tmp/usn.txt
dev@computer:~$cat /tmp/usn.txt

{
    "majorVersion": 2,
    "minorVersion": 0,
    "fileReferenceNumber": 281474976744952,
    "parentFileReferenceNumber": 844424930165539,
    "usn": 47265504,
    "timestamp": 1467312724,
    "reason": "SECURITY_CHANGE",
    "sourceInfo": 0,
    "securityId": 0,
    "fileAttributes": "HIDDEN SYSTEM ARCHIVE",
    "filenameLength": 22,
    "filenameOffset": 60,
    "filename": "493fde4.rbf",
    "humanTimestamp": "2016-06-30 18:52:04.456762",
    "epochTimestamp": 1467312724,
    "mftSeqNumber": 1,
    "mftEntryNumber": 34296,
    "pMftSeqNumber": 3,
    "pMftEntryNumber": 33571
}

Installation

Using setup.py:

python setup.py install

Using pip:

pip install usnparser
Travis-CI
Release History

Release History

This version
History Node

4.0.3

History Node

4.0.2

History Node

4.0.1

History Node

4.0.0

History Node

3.0.2

History Node

3.0.1

History Node

3.0.0

History Node

2.0.4

History Node

2.0.3

History Node

2.0.2

History Node

2.0.1

History Node

2.0.0

History Node

1.0.7

History Node

1.0.6

History Node

1.0.5

History Node

1.0.4

History Node

1.0.3

History Node

1.0.2

History Node

1.0.1

History Node

1.0.0

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
usnparser-4.0.3.tar.gz (5.5 kB) Copy SHA256 Checksum SHA256 Source May 21, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting