usnjrnl

Parses Windows $UsnJrnl files

This crate contains a library and a binary. If you only want to use the library in your crate, use default-features=false in your Cargo.toml:

[dependencies]
usnjrnl = {version="0.3.0", default-features=false }

Installation

cargo install usnjrnl

Usage

usnjrnl_dump binary

USAGE:
    usnjrnl_dump [FLAGS] <USNJRNL_FILE>

FLAGS:
    -b, --bodyfile    output as bodyfile instead of JSON
    -h, --help        Prints help information
    -V, --version     Prints version information

ARGS:
    <USNJRNL_FILE>    path to $UsnJrnl:$J file (file ending with .gz will be treated as being gzipped)

I suggest to always correlate MFT entry numbers to entries in a real $MFT file. This can be done automatically with https://github.com/janstarke/mft2bodyfile.

usnjrnl library

use usnjrnl::{UsnJrnlReader, CommonUsnRecord, UsnRecordData};

let reader = UsnJrnlReader::from("$UsnJrnl:$J")?;
for entry in reader.into_iter() {
    match entry {
        Ok(e) => {
            println!("{}: {}",
                e.data.filename(),
                e.data.reasons();
        }
        Err(why) => {
            log::error!("{}", why);
        }
    }
}