I wrote a Python parser for the $USNJRNL $J NTFS transaction log. This is
similar to the EnScript provided by Lance Mueller
( http//
I wrote it because I could not use Mueller's script on my system. I was parsing a 7.4 GB journal file in EnCase 6.14 running on Win XP 64 bit with 8GB RAM. The old version of the script caused 'out of memory' errors and the newer version just crashed EnCase. It has worked fine in the past. Since I use Python, I wrote my own parser rather than use more time to try to troubleshoot the EnCase problem.
I have tested the script against three sample files with success. The tests were conducted on Windows XP Pro 64-bit using ActiveState Python 2,6 and Ubuntu 8.04 LTS with Python 2.6.2.
If this might be useful to you, please test and provide me any feedback.
Thanks,
_Seth
DOWNLOAD http//
Seth,
Thank you for posting your Python script to parse the $Usnjrnl file. However, I can not seem to get it working. Would you provide an example of the command line that you used to run against the sample files? Any help would be greatly appreciated.
Thanks!
Gary
Python C\Path_to_the_script\UsnJrnl.py -f U\Path_to_your_extracted_or_mounted_USNJRNL•$J\USNJRNL•$ -o Output_file -c
Bit more at
Regards
Great, thank you dc1743 for posting the command. I left out the command "python" initially, but I am now able to parse about 50% of the Journal log entries.
thanks,
Gary