Lib.rs

Filesystem | Development tools
#journal #windows #ntfs #usn #mft

app usn-parser

A Windows utility for NTFS/ReFS to search the MFT & monitoring the changes of USN Journal

by Fu Wang

1 unstable release

Uses new Rust 2024

new 0.1.0 May 16, 2025

#289 in Filesystem

MIT license

13KB
218 lines

usn-parser

A command-line utility 💻 for parsing NTFS/ReFS USN Change Journal and searching the NTFS MFT on Windows systems.

Crates.io License

✨ Features

  • Monitor Real-time Changes: Keep an eye on USN journal entries as they happen. ⏱️
  • Search MFT: Efficiently search the Master File Table for specific entries. 🔍
  • Read USN Journal History: Access and analyze historical USN journal data. 📜
  • Flexible Filtering:
    • Filter by keyword (wildcards supported).
    • Show only files 📄 or only directories 📁.

🚀 Getting Started

Prerequisites

  • Rust programming language and Cargo package manager installed. You can get them from rustup.rs.
  • Administrator privileges are required to access USN journals and the MFT.

Installation

The crate has been published to crates.io, you can install it using Cargo:

cargo install usn-parser

🛠️ Usage

Usage: usn-parser.exe <COMMAND>

Commands:
  monitor  Monitor real-time USN journal changes
  search   Search the Master File Table
  read     Read history USN journal entries
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

Examples

Monitor 📡

Monitor real-time USN journal changes.

  • Monitor drive C for all real-time USN records: 
    usn-parser monitor C
  • Monitor drive C for real-time USN records, filtering for log files with the name prefix app: 
    usn-parser monitor C -f "app*.log" --file-only

Search 🔎

Search the Master File Table.

  • Search the Master File Table of volume C, printing out all files with the extension .xlsx: 
    usn-parser search C -f "*.xlsx" --file-only
  • Search the Master File Table of volume D for all directory entries: 
    usn-parser search D --dir-only

Read 📖

Read history USN journal entries.

  • Print out the change history for a file named report.docx from the USN journal of volume D: 
    usn-parser read D -f "report.docx"
  • Read all USN journal entries from drive F related to directories with "archive" in their name: 
    usn-parser read F --filter "*archive*" --dir-only

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request or open an issue.

📜 License

This project is licensed under the terms of the MIT LICENSE.

Dependencies

~124MB
~2M SLoC