Re: [sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Update Sequence Number Journal support
|
From: Jon S. <JSt...@St...> - 2016-06-28 17:26:39
|
My company released NTFS-Linker last year, which links with libtsk and Joachim Metz's libvshadow to parse $UsnJrnl and $LogFile entries on all volume shadow copies and the current state of the volume and organizes them into a unified timeline in a sqlite database. More information is here: http://strozfriedberg.github.io/ntfs-linker/ Cheers, Jon > -----Original Message----- > From: noxdafox [mailto:nox...@gm...] > Sent: Tuesday, June 28, 2016 12:49 PM > To: sle...@li... > Subject: [sleuthkit-developers] Update Sequence Number Journal support > > Greetings, > > recently I've been playing around with NTFS Update Sequence Number > Journals which I find a fairly good instrument for extracting timelines > from NTFS drives. > > I have been writing few parsers for it, the last one been written in C. > > I was thinking about porting it to sleuthkit. Do you think it would be > beneficial for the library? > > The idea would be to expose a visitor API (in similar fashion as for > tsk_fs_dir_walk) and then a command line tool built on top of it. > > More info about UsnJrnl files: > https://msdn.microsoft.com/en- > us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPErr > or=-2147217396# > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
