Metadata-Version: 2.4
Name: usnparser
Version: 4.1.5
Summary: A Python script to parse the NTFS USN journal
Home-page: https://github.com/PoorBillionaire/USN-Journal-Parser
Author: Adam Witt
Author-email: accidentalassist@gmail.com
License: Apache Software License
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: Apache Software License
Requires-Python: >=3
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: home-page
Dynamic: license
Dynamic: requires-python
Dynamic: summary

USN-Journal-Parser
====================      
Python script to parse the NTFS USN Change Journal

Description
-------------
The NTFS USN Change journal is a volume-specific log  which records metadata changes to files. It is a treasure trove of information during a forensic investigation. The change journal is a named alternate data stream, located at: $Extend\\$UsnJrnl:$J. usn.py is a script written in Python which parses the journal's contents, and features several different output formats.

Default Output
----------------
With no command-line options set, usn.py will produce USN journal records in the format below:

::

    dev@computer:$ python usn.py -f usnjournal -o /tmp/usn.txt
    dev@computer:$ cat /tmp/usn.txt

    2016-01-26 18:56:20.046268 | test.vbs | ARCHIVE  | DATA_OVERWRITE DATA_EXTEND 

Command-Line Options
-----------------------

::

    optional arguments:
      -h, --help            show this help message and exit
      -b, --body            Return USN records in comma-separated format
      -c, --csv             Return USN records in comma-separated format
      -f FILE, --file FILE  Parse the given USN journal file
      -q, --quick           Parse a large journal file quickly
      -s SYSTEM, --system SYSTEM
                            System name (use with -t)
      -t, --tln             TLN output (use with -s)
      -v, --verbose         Return all USN properties for each record (JSON)

**--csv**

Using the CSV flag will, as expected, provide results in CSV format. Using the --csv / -c option provides the same USN fields as default output:

* Timestamp
* Filename
* File attributes
* Reason

An example of what this looks like is below:

::

    dev@computer:~$python usn.py --csv -f usnjournal -o /tmp/usn.txt
    dev@computer:~$ cat /tmp/usn.txt

    timestamp,filename,fileattr,reason
    2015-10-09 21:37:58.836242,A75BFDE52F3DD8E6.dat,ARCHIVE NOT_CONTENT_INDEXED,DATA_EXTEND FILE_CREATE

**--body**

Using the --body / -b command-line flag, the script will output in mactime body format:

::

    dev@computer:~$ python usn.py -f usnjournal --body

    0|schedule log.xml (USN: DATA_EXTEND DATA_TRUNCATION CLOSE)|24603-1|0|0|0|0|1491238176|1491238176|1491238176|1491238176

**--tln / -t**

Using the --tln / -t command-line flag, the script will output in TLN body format:

::

    dev@computer:~$ python usn.py -f usnjournal --tln

    1491238176|USN|||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE


Add the --system / -s flag to specify a system name with TLN output:

::

    dev@computer:~$ python usn.py -f usnjournal --tln --system ThisIsASystemName

    1491238176|USN|ThisIsASystemName||schedule log.xml:DATA_EXTEND DATA_TRUNCATION CLOSE

**--verbose**

Return all USN members for each record with the --verbose / -v flag. The results are JSON-formatted.

::

    dev@computer:~$python usn.py --verbose -f usnjournal -o /tmp/usn.txt
    dev@computer:~$cat /tmp/usn.txt

    {
        "majorVersion": 2,
        "minorVersion": 0,
        "fileReferenceNumber": 281474976744952,
        "parentFileReferenceNumber": 844424930165539,
        "usn": 47265504,
        "timestamp": 1467312724,
        "reason": "SECURITY_CHANGE",
        "sourceInfo": 0,
        "securityId": 0,
        "fileAttributes": "HIDDEN SYSTEM ARCHIVE",
        "filenameLength": 22,
        "filenameOffset": 60,
        "filename": "493fde4.rbf",
        "humanTimestamp": "2016-06-30 18:52:04.456762",
        "epochTimestamp": 1467312724,
        "mftSeqNumber": 1,
        "mftEntryNumber": 34296,
        "pMftSeqNumber": 3,
        "pMftEntryNumber": 33571
    }

Installation
--------------
Using setup.py:

::
    
    python setup.py install
    
Using pip:

::
    
    pip install usnparser

+----------------------------------------------------------------------------------------+
| Travis-CI                                                                              |
+========================================================================================+
|  .. image:: https://travis-ci.org/PoorBillionaire/USN-Journal-Parser.svg?branch=master |
|   :target: https://travis-ci.org/PoorBillionaire/USN-Journal-Parser                    |
+----------------------------------------------------------------------------------------+

