usn-parser 0.1.1

A Windows utility for NTFS/ReFS to search the MFT & monitoring the changes of USN Journal.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

#  usn-parser


A command-line utility for searching the NTFS MFT and parsing NTFS/ReFS USN Change Journal on Windows.

[![Crates.io](https://img.shields.io/crates/v/usn-parser.svg)](https://crates.io/crates/usn-parser)
[![Downloads](https://img.shields.io/crates/d/usn-parser.svg)](https://crates.io/crates/usn-parser)
[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)

## ✨ Features


* πŸ‘€ **Monitor Real-time Changes**: Keep an eye on USN journal entries as they happen. 
* πŸ” **Search MFT**: Efficiently search the Master File Table for specific entries.
* πŸ“– **Read Journal Change History**: Access and analyze historical USN journal data.
* πŸ”½ **Flexible Filtering**:
    *   Filter by keyword (wildcards supported).
    *   Show only files or only directories.

## πŸ“₯ Installation


The crate has been published to [crates.io](https://crates.io/crates/usn-parser), you can install it using Cargo:
```bash
cargo install usn-parser
```

Alternatively, you can download the latest release from the [Releases page](https://github.com/wangfu91/usn-parser-rs/releases/latest) and run the executable directly.

## πŸ“– Usage


 > Note: Administrator privileges are required to access USN journals and the MFT.

```powershell
Usage: usn-parser.exe <COMMAND>

Commands:
  monitor  Monitor real-time USN journal changes
  search   Search the Master File Table
  read     Read history USN journal entries
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version
```

### πŸ’‘Examples


#### πŸ‘€ Monitor real-time USN journal changes.


```powershell
# Monitor drive C for all real-time file changes, filtering for log files with the name prefix 'app' in drive C:

usn-parser monitor C -f "app*.log" --file-only
```

#### πŸ”Ž Search the MFT.

```powershell
# Search the MFT of drive C, printing out all files with the extension `.xlsx`:

usn-parser search C -f "*.xlsx" --file-only
```

#### πŸ“– Read history USN journal entries.

```powershell
# Print out the change history for file 'report.docx' from the USN journal of drive D:

usn-parser read D -f "report.docx"
```

## 🀝 Contributing


Contributions are welcome! Please feel free to submit a Pull Request or open an issue.

## πŸ“œ License


This project is licensed under the terms of the [MIT LICENSE](LICENSE).