Re: [sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Update Sequence Number Journal support
|
From: noxdafox <nox...@gm...> - 2016-06-28 17:12:15
|
There are few open source and commercial solutions which rely on NTFS internals in order to retrieve data useful to build timelines of events. My point is that sleuthkit is missing such a capability and I was wondering if the community would be interested in such a feature. I'd rather ask than come with a pull request out of the blue :) On 28/06/16 20:06, Jon Stewart wrote: > My company released NTFS-Linker last year, which links with libtsk and Joachim Metz's libvshadow to parse $UsnJrnl and $LogFile entries on all volume shadow copies and the current state of the volume and organizes them into a unified timeline in a sqlite database. > > More information is here: http://strozfriedberg.github.io/ntfs-linker/ > > Cheers, > > Jon > >> -----Original Message----- >> From: noxdafox [mailto:nox...@gm...] >> Sent: Tuesday, June 28, 2016 12:49 PM >> To: sle...@li... >> Subject: [sleuthkit-developers] Update Sequence Number Journal support >> >> Greetings, >> >> recently I've been playing around with NTFS Update Sequence Number >> Journals which I find a fairly good instrument for extracting timelines >> from NTFS drives. >> >> I have been writing few parsers for it, the last one been written in C. >> >> I was thinking about porting it to sleuthkit. Do you think it would be >> beneficial for the library? >> >> The idea would be to expose a visitor API (in similar fashion as for >> tsk_fs_dir_walk) and then a command line tool built on top of it. >> >> More info about UsnJrnl files: >> https://msdn.microsoft.com/en- >> us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPErr >> or=-2147217396# >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
