USN Analytics

USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis.

USN Analytics Main

Feature

USN Analytics is not just parser, but has the following function: 

  • It checks relevant record based on file ID, and gathers those records into one record.
  • It checks parent ID by each USN record, constructs path information and adds the informaiton
  • It presents one record for rename and move operation.
  • It creates the list of program execution history based on prefetch file creation/modification.
  • It creates the list of file open history based on lnk and ObjectID creation/modification.
  • It creates the list of potential indicator list based on peculiar extension and file name.

Usage

> usn_analytics [-ru] -o output input

USN Analytics expects to input file as carving data by bulk_extractor-rec ntfsusn scanner, but it works for file containing USN records.

-r option works as pure parser.

-u option is specified, USN Analytics treat time stamp as UTC (Default: Local time).

Download

These binaries are x64.

Windows: usn_analytics_v.201801_exe.zip
(SHA-256: 06a83569dd861d2e65494b11c8fb9d36b68a00bf2c6e1d88f0df3c0ce55be349)

Linux: usn_analytics_v.201801_elf.zip
(SHA-256: d7023daa43db672b92ff4babdaf06cd3e4b5eb44d1a5d733b335c3b564bea251)

macOS: usn_analytics_v.201801_mach.zip
(SHA-256: 387cfde3ecfce29646d90507494f5a4946d3818f9da98f681db869c5e4279fbb)

Source code is available at Github.
https://github.com/4n6ist/usn_analytics

License

Apache License 2.0

History

2018/01/25

USN Analytics v.201801 released.