dissect.ntfs.usnjrnl

Module Contents

Classes

UsnJrnl	Parse the USN journal from a file-like object of the $UsnJrnl:$J stream.
UsnRecord	Parse a USN record from a file-like object and offset.

class dissect.ntfs.usnjrnl.UsnJrnl(fh: BinaryIO, ntfs: Optional[dissect.ntfs.ntfs.NTFS] = None)

Parse the USN journal from a file-like object of the $UsnJrnl:$J stream.

Parameters:

• fh – A file-like object of the $UsnJrnl:$J stream.

• ntfs – An optional NTFS class instance, used for resolving file paths.

records() → Iterator[UsnRecord]

Yield all parsed USN records.

Only yields version 2 USN records, other record versions are ignored.

class dissect.ntfs.usnjrnl.UsnRecord(usnjrnl: UsnJrnl, fh: BinaryIO, offset: int)

Parse a USN record from a file-like object and offset.

Parameters:

• usnjrnl – The UsnJrnl class this record is parsed from.

• fh – The file-like object to parse a USN record from.

• offset – The offset to parse a USN record at.

property timestamp: datetime.datetime

property timestamp_ns: int

__repr__() → str

Return repr(self).

__getattr__(attr: str) → Any

file() → Optional[dissect.ntfs.mft.MftRecord]

parent() → Optional[dissect.ntfs.mft.MftRecord]

full_path() → str