Expand description
NTFS USN Journal parser with full path reconstruction via journal rewind.
Implements the CyberCX “Rewind” algorithm for complete path resolution, even when MFT entries have been reallocated. Also provides direct binary parsing of $UsnJrnl:$J (V2/V3/V4), $MFT correlation, $MFTMirr comparison, and $LogFile gap detection.
Modules§
- analysis
- Anti-forensics and threat detection from USN Journal records.
- correlation
- TriForce correlation engine: MFT + $LogFile + $UsnJrnl.
- image
- Disk image format detection and NTFS artifact extraction.
- logfile
- $LogFile parser for gap detection and LSN correlation.
- mft
- MFT parsing for path resolution and correlation with USN Journal.
- mftmirr
- $MFTMirr comparison for integrity verification.
- monitor
- Real-time USN Journal monitoring via FSCTL_READ_USN_JOURNAL.
- output
- Output formatters: CSV, JSON, SQLite, Bodyfile, TLN, XML.
- refs
- ReFS (Resilient File System) aware handling of USN V3 records.
- rewind
- Journal Rewind engine for complete path reconstruction.
- rules
- Rule engine for pattern-matching USN journal activity.
- triage
- Rapid triage query engine for USN journal forensic analysis.
- usn
- USN Journal record parsing.