:py:mod:`dissect.target.plugins.filesystem.ntfs.usnjrnl`
========================================================

.. py:module:: dissect.target.plugins.filesystem.ntfs.usnjrnl




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlRecord


.. py:data:: UsnjrnlRecord

.. py:class:: UsnjrnlPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   NFTS UsnJrnl plugin.


   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: usnjrnl() -> collections.abc.Iterator[UsnjrnlRecord]

      Return the UsnJrnl entries of all NTFS filesystems.

      The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about
      filesystem activities. Each volume has its own UsnJrnl.

      If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the UsnJrnl
      properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the UsnJrnl records
      are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive
      letter is used when available.
      When no drive letter can be determined, the path will show as e.g. ``\$fs$\fs0``.

      .. rubric:: References

      - https://en.wikipedia.org/wiki/USN_Journal
      - https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e