It's not exactly current, 1999!, but this should help you
http//
Rich
thanks for the link, Rich2005…
i red that a way to convert the ParentFileReferenceNumber to a Path does not exist… the same for FRN…
so, are they useless? How can I use those?
I think ParentFileReferenceNumber is a essentially foreign key within this structure meaning that the path isn't going to be found within this usnjrnl file. I think from a quick look it may be found in the MFT as the first 8 bytes of the FileName attribute. So you'd probably have to parse the MFT in conjunction with the USNJRNL to resolve these paths. However i'm also wondering even if you did this, would this result in misleading info (ie would the path you parsed be the current location of the file - which may have changed since the particular USNJRNL record you're looking at parsing was created).
Would need to look into it a lot more I think.
Just found a blog with someone trying to do similar by the look of it in case it's of use
http//
well.. i have to look well, but it seems to use a function like "Createnewfile" for every directory level from C… it's possible, but i have to verify if this operations is appropiate.. cause for forensics analisys it could be bad!
however i would like to find the USN number in the MFT $STANDARD_INFORMATION attribute, just for compare the two files… but i found that in MFT entries Logfile sequence number (LSN) and USN are 0… Carrier said that these two values are in version 3.0+… maybe MFT is, like usn, only at version 2.0 ?
if this supposition is right, does another way to "match" the two files exist?
Hi, i'm replying just for say, because someone was interested in, that my Change Journal Parser is online and avaiable for download.
i just opened a thread in Forensics Software forum, here is direct link to the discussion.
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=8568
Thanks
Thanks HodboH, good work. I'll give it a whirl when I get a chance.