Skip to main content
Python Software Foundation 20th Year Anniversary Fundraiser  Donate today!

A Python script to parse the NTFS USN journal

Project description

Python script to parse the NTFS USN Change Journal


The NTFS USN Change journal is a volume-specific file which logs metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend\$UsnJrnl:$J. is a script written in Python which parses the journal’s contents, and features several different output formats.

Default Output

With no command-line options set, will produce USN journal records in the format below:

dev@computer:$ python -f usnjournal
2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE  | DATA_OVERWRITE DATA_EXTEND

Command-Line Options

optional arguments:
  -h, --help            show this help message and exit
  -b, --body            Return USN records in comma-separated format
  -c, --csv             Return USN records in comma-separated format
  -f FILE, --file FILE  Parse the given USN journal file
  -q, --quick           Parse a large journal file quickly
  -s SYSTEM, --system SYSTEM
                        System name (use with -t)
  -t, --tln             TLN output (use with -s)
  -v, --verbose         Return all USN properties for each record (JSON)


Note: This logic does make (very good) assumptions about the data in question. On the off chance you are experience issues using this functionality just switch back to using without the –quick flag. Personally, I have never had issues with it.

The USN Journal is a Sparse File. Depending on how the file was extracted, it may be bloated with gigabytes of NULL bytes. As such, a parser needs to read through these NULL bytes to find the first valid USN record before it can begin producing results.

Leveraging an interpreted language such as Perl or Python can be a time consuming process if the journal file is large. Using this script, apply the –quick / -q flag to perform this search more quickly: by seeking ahead one gigabyte at a time until valid USN data is found. In order to seek ahead one gigabyte at a time, the journal in question to be at least one gigabyte in size. If it isn’t, the script will simply produce an error and exit:

dev@computer$ python -f usnjournal --quick
[ - ] This USN journal is not large enough for the --quick functionality
[ - ] Exitting...

Below is an example of the time it takes to find valid data in a large USN journal - 39GB in size, containing mostly NULL bytes. This example is not using the –quick functionality and takes over six minutes to begin producing results:

PS Dev:\Desktop> Measure-Command {C:\Python27\python.exe -f usnjournal}
Hours             : 0
Minutes           : 6
Seconds           : 3
Milliseconds      : 766
Ticks             : 3637662181
TotalDays         : 0.00421025715393519
TotalHours        : 0.101046171694444
TotalMinutes      : 6.06277030166667
TotalSeconds      : 363.7662181
TotalMilliseconds : 363766.2181

Now the same USN journal file, but with the –quick flag invoked. The time it takes to find data is cut down to just under three seconds:

PS Dev:\Desktop> Measure-Command {C:\Python27\python.exe -f usnjournal --quick}
Hours             : 0
Minutes           : 0
Seconds           : 2
Milliseconds      : 822
Ticks             : 28224455
TotalDays         : 3.2667193287037E-05
TotalHours        : 0.000784012638888889
TotalMinutes      : 0.0470407583333333
TotalSeconds      : 2.8224455
TotalMilliseconds : 2822.4455


Using the CSV flag will, as expected, provide results in CSV format. Using the –csv / -c option provides the same USN fields as default output:

  • Timestamp
  • Filename
  • File attributes
  • Reason

An example of what this looks like is below:

dev@computer:~$python -f usnjournal --csv


Return all USN members for each record with the –verbose / -v flag. The results are JSON-formatted.

dev@computer:~$python -f usnjournal --verbose
    "recordlen": 96,
    "majversion": 2,
    "minversion": 0,
    "mftSequenceNumber": 1,
    "mftEntryNumber": 95075,
    "parentMftSequenceNumber": 1,
    "parentMftEntryNumber": 2221,
    "usn": 432,
    "timestamp": "2016-02-22 02:59:26.374840",
    "reason": "FILE_DELETE CLOSE ",
    "sourceinfo": 0,
    "sid": 0,
    "fileattr": "ARCHIVE ",
    "filenamelen": 34,
    "filenameoffset": 60,
    "filename": "WindowsUpdate.log"

–body / -b

Using the –body / -b command-line flag, the script will output in mactime body format:

dev@computer:~$ python -f usnjournal --body

0|schedule log.xml (USN: DATA_EXTEND DATA_TRUNCATION CLOSE)|24603-1|0|0|0|0|1491238176|1491238176|1491238176|1491238176

–tln / -t

Using the –tln / -t command-line flag, the script will output in TLN body format:

dev@computer:~$ python -f usnjournal --tln

1491238176|USN|||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE

Add the –system / -s flag to specify a system name with TLN output:

dev@computer:~$ python -f usnjournal --tln --system ThisIsASystemName

1491238176|USN|ThisIsASystemName||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE



python install

Using pip:

pip install usnparser

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for usnparser, version 3.0.2
Filename, size File type Python version Upload date Hashes
Filename, size usnparser-3.0.2.tar.gz (6.8 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page