Lib.rs

Parser implementations
#numbers #windows-file #binary #mft #ending #usnjrnl-dump #usnjrnl-file

bin+lib usnjrnl

parses a $UsnJrnl file

Owned by Jan Starke.

9 releases

0.4.5 May 8, 2023
0.4.4 Nov 18, 2022
0.4.3 Feb 8, 2022
0.3.0 Dec 24, 2021
0.1.0 Oct 20, 2021

#1709 in Parser implementations

Download history 22/week @ 2024-02-03 2/week @ 2024-02-10 52/week @ 2024-02-24 7/week @ 2024-03-02 18/week @ 2024-03-09 2/week @ 2024-03-16 35/week @ 2024-03-30 1/week @ 2024-04-06 56/week @ 2024-04-13

92 downloads per month
Used in mft2bodyfile

Custom license

36KB
432 lines

usnjrnl

Parses Windows $UsnJrnl files

This crate contains a library and a binary. If you only want to use the library in your crate, use default-features=false in your Cargo.toml:

[dependencies]
usnjrnl = {version="0.3.0", default-features=false }

Installation

cargo install usnjrnl

Usage

usnjrnl_dump binary

USAGE:
    usnjrnl_dump [FLAGS] <USNJRNL_FILE>

FLAGS:
    -b, --bodyfile    output as bodyfile instead of JSON
    -h, --help        Prints help information
    -V, --version     Prints version information

ARGS:
    <USNJRNL_FILE>    path to $UsnJrnl:$J file (file ending with .gz will be treated as being gzipped)

I suggest to always correlate MFT entry numbers to entries in a real $MFT file. This can be done automatically with https://github.com/janstarke/mft2bodyfile.

usnjrnl library

use usnjrnl::{UsnJrnlReader, CommonUsnRecord, UsnRecordData};

let reader = UsnJrnlReader::from("$UsnJrnl:$J")?;
for entry in reader.into_iter() {
    match entry {
        Ok(e) => {
            println!("{}: {}",
                e.data.filename(),
                e.data.reasons();
        }
        Err(why) => {
            log::error!("{}", why);
        }
    }
}

Dependencies

~10–22MB
~259K SLoC