USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis.
Feature
USN Analytics is not just parser, but has the following function:
- It checks relevant record based on file ID, and gathers those records into one record.
- It checks parent ID by each USN record, constructs path information and adds the informaiton
- It presents one record for rename and move operation.
- It creates the list of program execution history based on prefetch file creation/modification.
- It creates the list of file open history based on lnk and ObjectID creation/modification.
- It creates the list of potential indicator list based on peculiar extension and file name.
Usage
> usn_analytics [-ru] -o output input
USN Analytics expects to input file as carving data by bulk_extractor-rec ntfsusn scanner, but it works for file containing USN records.
-r option works as pure parser.
-u option is specified, USN Analytics treat time stamp as UTC (Default: Local time).
Download
These binaries are x64.
Windows: usn_analytics_v.201801_exe.zip
(SHA-256: 06a83569dd861d2e65494b11c8fb9d36b68a00bf2c6e1d88f0df3c0ce55be349)
Linux: usn_analytics_v.201801_elf.zip
(SHA-256: d7023daa43db672b92ff4babdaf06cd3e4b5eb44d1a5d733b335c3b564bea251)
macOS: usn_analytics_v.201801_mach.zip
(SHA-256: 387cfde3ecfce29646d90507494f5a4946d3818f9da98f681db869c5e4279fbb)
Source code is available at Github.
https://github.com/4n6ist/usn_analytics
License
Apache License 2.0
History
2018/01/25
USN Analytics v.201801 released.