:py:mod:`dissect.ntfs.usnjrnl`
==============================

.. py:module:: dissect.ntfs.usnjrnl




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.ntfs.usnjrnl.UsnJrnl
   dissect.ntfs.usnjrnl.UsnRecord




.. py:class:: UsnJrnl(fh: BinaryIO, ntfs: dissect.ntfs.ntfs.NTFS | None = None)

   Parse the USN journal from a file-like object of the ``$UsnJrnl:$J`` stream.

   :param fh: A file-like object of the $UsnJrnl:$J stream.
   :param ntfs: An optional :class:`~dissect.ntfs.ntfs.NTFS` class instance, used for resolving file paths.


   .. py:attribute:: fh


   .. py:attribute:: ntfs
      :value: None



   .. py:method:: records() -> collections.abc.Iterator[UsnRecord]

      Yield all parsed USN records.

      Only yields version 2 USN records, other record versions are ignored.



.. py:class:: UsnRecord(usnjrnl: UsnJrnl, fh: BinaryIO, offset: int)

   Parse a USN record from a file-like object and offset.

   :param usnjrnl: The :class:`UsnJrnl` class this record is parsed from.
   :param fh: The file-like object to parse a USN record from.
   :param offset: The offset to parse a USN record at.


   .. py:attribute:: usnjrnl


   .. py:attribute:: offset


   .. py:attribute:: extents
      :value: []



   .. py:attribute:: header


   .. py:method:: __repr__() -> str


   .. py:method:: __getattr__(attr: str) -> Any


   .. py:property:: file
      :type: dissect.ntfs.mft.MftRecord | None



   .. py:property:: parent
      :type: dissect.ntfs.mft.MftRecord | None



   .. py:property:: timestamp
      :type: datetime.datetime



   .. py:property:: timestamp_ns
      :type: int



   .. py:property:: full_path
      :type: str