ntfs-reader 0.4.5

Read MFT and USN journal
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

use ntfs_reader::journal::{Journal, JournalOptions, NextUsn};
use ntfs_reader::volume::Volume;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Open the C: volume
    let volume = Volume::new("\\\\?\\C:")?;

    // With `JournalOptions` you can customize things like where to start reading
    // from (beginning, end, specific point), the mask to use for the events and more.
    let options = JournalOptions {
        // Start from the beginning of the journal.
        // Normally you'd use the default NextUsn::Next to read from the current position.
        next_usn: NextUsn::First,
        ..Default::default()
    };
    let mut journal = Journal::new(volume, options)?;

    // Try to read some events.
    // You can call `read_sized` to use a custom buffer size.
    let events = journal.read()?;

    println!("Found {} journal events", events.len());

    for event in events.iter().take(10) {
        // Available fields (public fields, not methods)
        // usn, timestamp, file_id, parent_id, reason, path

        // Example: Print information for each journal event
        println!(
            "USN: {}, Time: {:?}, Path: {}, Reason: {}",
            event.usn,
            event.timestamp,
            event.path.display(),
            Journal::get_reason_str(event.reason)
        );
    }

    Ok(())
}