USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis.
USN Analytics is not just parser, but has the following function:
- It checks relevant record based on file ID, and gathers those records into one record.
- It checks parent ID by each USN record, constructs path information and adds the informaiton
- It presents one record for rename and move operation.
- It creates the list of program execution history based on prefetch file creation/modification.
- It creates the list of file open history based on lnk and ObjectID creation/modification.
- It creates the list of potential indicator list based on peculiar extension and file name.
> usn_analytics [-ru] -o output input
USN Analytics expects to input file as carving data by bulk_extractor-rec ntfsusn scanner, but it works for file containing USN records.
-r option works as pure parser.
-u option is specified, USN Analytics treat time stamp as UTC (Default: Local time).
These binaries are x64.
Source code is available at Github.
Apache License 2.0
USN Analytics v.201801 released.