Re: [sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Update Sequence Number Journal support
|
From: Brian C. <ca...@sl...> - 2016-07-09 03:47:53
|
Hello, Sorry for the very late replies. I certainly think it would be of interest to the TSK users. My 2 cents would be to take a look at the existing journal infrastructure in TSK that was not designed with the knowledge of NTFS structures (so it maybe too limited). But, it would be good to try to enhance that versus adding in a parallel journal infrastructure. Examples of it can be found in ext2fs_journal.c and hfs_journal.c and it provides callbacks for each entry. thanks, brian > On Jun 28, 2016, at 12:49 PM, noxdafox <nox...@gm...> wrote: > > Greetings, > > recently I've been playing around with NTFS Update Sequence Number > Journals which I find a fairly good instrument for extracting timelines > from NTFS drives. > > I have been writing few parsers for it, the last one been written in C. > > I was thinking about porting it to sleuthkit. Do you think it would be > beneficial for the library? > > The idea would be to expose a visitor API (in similar fashion as for > tsk_fs_dir_walk) and then a command line tool built on top of it. > > More info about UsnJrnl files: > https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
