dissect.ntfs.usnjrnl

Module Contents

Classes

UsnJrnl	Parse the USN journal from a file-like object of the $UsnJrnl:$J stream.
UsnRecord	Parse a USN record from a file-like object and offset.

class dissect.ntfs.usnjrnl.UsnJrnl(fh: BinaryIO, ntfs: dissect.ntfs.ntfs.NTFS | None = None)

Parse the USN journal from a file-like object of the $UsnJrnl:$J stream.

Parameters:

• fh – A file-like object of the $UsnJrnl:$J stream.

• ntfs – An optional NTFS class instance, used for resolving file paths.

fh

ntfs = None

records() → collections.abc.Iterator[UsnRecord]

Yield all parsed USN records.

Only yields version 2 USN records, other record versions are ignored.

class dissect.ntfs.usnjrnl.UsnRecord(usnjrnl: UsnJrnl, fh: BinaryIO, offset: int)

Parse a USN record from a file-like object and offset.

Parameters:

• usnjrnl – The UsnJrnl class this record is parsed from.

• fh – The file-like object to parse a USN record from.

• offset – The offset to parse a USN record at.

usnjrnl

offset

extents = []

header

__repr__() → str

__getattr__(attr: str) → Any

property file: dissect.ntfs.mft.MftRecord | None

property parent: dissect.ntfs.mft.MftRecord | None

property timestamp: datetime.datetime

property timestamp_ns: int

property full_path: str