Parser script ofr N...
 
Notifications
Clear all

Parser script ofr NTFS Transaction log...

4 Posts
3 Users
0 Likes
294 Views
(@snazzaro)
Posts: 1
New Member
Topic starter
 

I wrote a Python parser for the $USNJRNL $J NTFS transaction log. This is
similar to the EnScript provided by Lance Mueller
( http//www.forensickb.com/2008/09/enscript-to-parse-usnjrnl.html ).

I wrote it because I could not use Mueller's script on my system. I was parsing a 7.4 GB journal file in EnCase 6.14 running on Win XP 64 bit with 8GB RAM. The old version of the script caused 'out of memory' errors and the newer version just crashed EnCase. It has worked fine in the past. Since I use Python, I wrote my own parser rather than use more time to try to troubleshoot the EnCase problem.

I have tested the script against three sample files with success. The tests were conducted on Windows XP Pro 64-bit using ActiveState Python 2,6 and Ubuntu 8.04 LTS with Python 2.6.2.

If this might be useful to you, please test and provide me any feedback.

Thanks,

_Seth

DOWNLOAD http//code.google.com/p/parser-usnjrnl/downloads/list

 
Posted : 10/12/2009 12:08 am
(@gcribbs)
Posts: 2
New Member
 

Seth,

Thank you for posting your Python script to parse the $Usnjrnl file. However, I can not seem to get it working. Would you provide an example of the command line that you used to run against the sample files? Any help would be greatly appreciated.

Thanks!
Gary

 
Posted : 05/07/2010 7:02 pm
(@dc1743)
Posts: 48
Eminent Member
 

Python C\Path_to_the_script\UsnJrnl.py -f U\Path_to_your_extracted_or_mounted_USNJRNL•$J\USNJRNL•$ -o Output_file -c
Bit more at Forensics from the sausage factory

Regards

 
Posted : 26/07/2010 9:35 pm
(@gcribbs)
Posts: 2
New Member
 

Great, thank you dc1743 for posting the command. I left out the command "python" initially, but I am now able to parse about 50% of the Journal log entries.

thanks,
Gary

 
Posted : 26/07/2010 10:03 pm
Share: