USN-Journal-Parser

The NTFS USN Change journal is a specific log for each volume that records changes in metadata related to files.

It serves as a treasure trove of valuable information during a forensic investigation.

The change journal is a specific type of alternate data stream, located at: $Extend$UsnJrnl:$J. The script usn.py, written in Python, is designed to parse the contents of this journal and offers several output formats. Default Output When no command-line options are specified, usn.py will generate USN journal records in the format shown below: dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt dev@computer:$ cat /tmp/usn.txt 2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE | DATA_OVERWRITE DATA_EXTEND Command-Line Options optional arguments: -h, --help Show this help message and exit -b, --body Return USN records in comma-separated format -c, --csv Return USN records in comma-separated format -f FILE, --file FILE Parse the specified USN journal file -q, --quick Quickly parse a large journal file -s SYSTEM, --system SYSTEM Specify system name (use with -t) -t, --tln Output TLN (use with -s) -v, --verbose Return all USN properties for each record in JSON format --csv Using the CSV format