NTFS $UsnJrnl Parser
This script parses records contained in the $J data stream of the $UsnJrnl file.
These records contain information about changes made to files and folders contained within the associated volume's NT file system.
The examiner can choose to process all or selected '$UsnJrnl·$J' files. Even if everything is selected, the script will only process files named '$UsnJrnl·$J'.
The examiner can opt to parse each '$UsnJrnl·$J' in a way that will skip any sparse region. Sparse regions should contain nothing but null bytes, so excluding them should save some time. Note that this option will have no effect for '$UsnJrnl·$J' files that are contained within logical evidence files.
When it comes to parsing the actual $UsnJrnl records, the examiner can use the script's built-in filtering functionality to parse only those records that match specified criteria.
The most common use for this will be to identify records that relate to files/folders with a specific name, in which case the 'TargetFilename' property should be used.
The script can, if requested, attempt to identify the path of the parent of each entry referred to in a record. This will not be possible if the host volume's Master File Table is unavailable or if the parent has been deleted or is also unavailable (such as where '$UsnJrnl·$J' has been captured as a single file or as part of a logical evidence file but the parent volume wasn't). Note that taking this option will extend processing time considerably.
Output is in the form of bookmarks and a tab-delimited spreadsheet file. Note that a CSV file extension is used because programs such as Microsoft Excel do not recognise the TSV file extension.
The user has the ability to specify how the content of the 'Reason(s)' field is delimited. Using a newline delimiter makes reading the contents of this field easier but requires the script to delimit text fields using double-quotes, which aren't supported by every application into which the examiner may wish to import the data (see below). The examiner can therefore opt to delimit the contents of this field using spaces, in which case the script won't use double-quotes.
It's important to bear in mind that '$UsnJrnl·$J' files on Windows systems starting with Vista are likely to contain several hundred thousand records; these can take substantial time to process especially if the user has taken the option to resolve parent-entries. Unless the examiner is absolutely certain of the entries he/she needs to examine the best option is to process each '$UsnJrnl·$J' file in its entirety and then filter the TSV output file using a spreadsheet or database program.
Note that there is a limit of 1,048,576 rows in Excel 2010 and Excel 2013, so the examiner is probably better-off importing and then examining the data into a database application such as MS Access or SQLite Expert Professional. Note that the former supports double-quoted text fields; the latter does not.
YOU MAY ALSO LIKE