[sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Update Sequence Number Journal support
|
From: noxdafox <nox...@gm...> - 2016-06-28 16:49:20
|
Greetings, recently I've been playing around with NTFS Update Sequence Number Journals which I find a fairly good instrument for extracting timelines from NTFS drives. I have been writing few parsers for it, the last one been written in C. I was thinking about porting it to sleuthkit. Do you think it would be beneficial for the library? The idea would be to expose a visitor API (in similar fashion as for tsk_fs_dir_walk) and then a command line tool built on top of it. More info about UsnJrnl files: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# |
