Python script to parse the NTFS USN Change Journal
The NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend\$UsnJrnl:$J. usn.py is a script written in Python which parses the journal's contents, and features several different output formats.
With no command-line options set, usn.py will produce USN journal records in the format below:
dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND
optional arguments: -h, --help show this help message and exit -b, --body Return USN records in comma-separated format -c, --csv Return USN records in comma-separated format -f FILE, --file FILE Parse the given USN journal file -q, --quick Parse a large journal file quickly -s SYSTEM, --system SYSTEM System name (use with -t) -t, --tln TLN output (use with -s) -v, --verbose Return all USN properties for each record (JSON)
--csv
Using the CSV flag will, as expected, provide results in CSV format. Using the --csv / -c option provides the same USN fields as default output:
- Timestamp
- Filename
- File attributes
- Reason
An example of what this looks like is below:
dev@computer:~$python usn.py --csv -f usnjournal -o /tmp/usn.txt dev@computer:~$ cat /tmp/usn.txt timestamp,filename,fileattr,reason 2015-10-09 21:37:58.836242,A75BFDE52F3DD8E6.dat,ARCHIVE NOT_CONTENT_INDEXED,DATA_EXTEND FILE_CREATE
--body
Using the --body / -b command-line flag, the script will output in mactime body format:
dev@computer:~$ python usn.py -f usnjournal --body 0|schedule log.xml (USN: DATA_EXTEND DATA_TRUNCATION CLOSE)|24603-1|0|0|0|0|1491238176|1491238176|1491238176|1491238176
--tln / -t
Using the --tln / -t command-line flag, the script will output in TLN body format:
dev@computer:~$ python usn.py -f usnjournal --tln 1491238176|USN|||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE
Add the --system / -s flag to specify a system name with TLN output:
dev@computer:~$ python usn.py -f usnjournal --tln --system ThisIsASystemName 1491238176|USN|ThisIsASystemName||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE
--verbose
Return all USN members for each record with the --verbose / -v flag. The results are JSON-formatted.
dev@computer:~$python usn.py --verbose -f usnjournal -o /tmp/usn.txt dev@computer:~$cat /tmp/usn.txt { "majorVersion": 2, "minorVersion": 0, "fileReferenceNumber": 281474976744952, "parentFileReferenceNumber": 844424930165539, "usn": 47265504, "timestamp": 1467312724, "reason": "SECURITY_CHANGE", "sourceInfo": 0, "securityId": 0, "fileAttributes": "HIDDEN SYSTEM ARCHIVE", "filenameLength": 22, "filenameOffset": 60, "filename": "493fde4.rbf", "humanTimestamp": "2016-06-30 18:52:04.456762", "epochTimestamp": 1467312724, "mftSeqNumber": 1, "mftEntryNumber": 34296, "pMftSeqNumber": 3, "pMftEntryNumber": 33571 }
Using setup.py:
python setup.py install
Using pip:
pip install usnparser
Travis-CI |
---|