dissect.target.plugins.filesystem.ntfs.usnjrnl

Module Contents

Classes

UsnjrnlPlugin

NFTS UsnJrnl plugin.

Attributes

UsnjrnlRecord

dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlRecord

class dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

NFTS UsnJrnl plugin.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

usnjrnl() → Iterator[UsnjrnlRecord]

Return the UsnJrnl entries of all NTFS filesystems.

The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about filesystem activities. Each volume has its own UsnJrnl.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the UsnJrnl properties added to it through a “fake” NtfsFilesystem), the paths returned in the UsnJrnl records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References

• https://en.wikipedia.org/wiki/USN_Journal

• https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e