Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

NTFS $UsnJrnl Parser

This script parses records contained in the $J data stream of the $UsnJrnl file.

These records contain information about changes made to files and folders contained within the associated volume's NT file system.

The examiner can choose to process all or selected '$UsnJrnl·$J' files. Even if everything is selected, the script will only process files named '$UsnJrnl·$J'.

The examiner can opt to parse each '$UsnJrnl·$J' in a way that will skip any sparse region. Sparse regions should contain nothing but null bytes, so excluding them should save some time. Note that this option will have no effect for '$UsnJrnl·$J' files that are contained within logical evidence files.

When it comes to parsing the actual $UsnJrnl records, the examiner can use the script's built-in filtering functionality to parse only those records that match specified criteria.

The most common use for this will be to identify records that relate to files/folders with a specific name, in which case the 'TargetFilename' property should be used.

The script can, if requested, attempt to identify the path of the parent of each entry referred to in a record. This will not be possible if the host volume's Master File Table is unavailable or if the parent has been deleted or is also unavailable (such as where '$UsnJrnl·$J' has been captured as a single file or as part of a logical evidence file but the parent volume wasn't). Note that taking this option will extend processing time considerably.

Output is in the form of bookmarks and a tab-delimited spreadsheet file. Note that a CSV file extension is used because programs such as Microsoft Excel do not recognise the TSV file extension.

The user has the ability to specify how the content of the 'Reason(s)' field is delimited. Using a newline delimiter makes reading the contents of this field easier but requires the script to delimit text fields using double-quotes, which aren't supported by every application into which the examiner may wish to import the data (see below). The examiner can therefore opt to delimit the contents of this field using spaces, in which case the script won't use double-quotes.

It's important to bear in mind that '$UsnJrnl·$J' files on Windows systems starting with Vista are likely to contain several hundred thousand records; these can take substantial time to process especially if the user has taken the option to resolve parent-entries. Unless the examiner is absolutely certain of the entries he/she needs to examine the best option is to process each '$UsnJrnl·$J' file in its entirety and then filter the TSV output file using a spreadsheet or database program.

Note that there is a limit of 1,048,576 rows in Excel 2010 and Excel 2013, so the examiner is probably better-off importing and then examining the data into a database application such as MS Access or SQLite Expert Professional. Note that the former supports double-quoted text fields; the latter does not.

Download Now



Version: 5.0.2
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

12925 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7599 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
181 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
126 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
107 Downloads
App