JP- TZWorks Windows Journal Parser

JP is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files.

The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type (eg. delete, rename, size extend, etc), and therefore makes a useful tool when looking at a computer forensically. Each entry is of variable size and its internal structure is documented in the MSDN.

JP- TZWorks Windows Journal Parser
JP- TZWorks Windows Journal Parser

Microsoft provides tools to look/affect the change journal as well as a published API to programmatically read/write from/to the change log. jp however, doesn’t make use of this Windows API, but does the parsing by traversing the raw structures. This allows jp to be compiled for use on other operating systems to parse the change journal as a component in a forensic toolkit.

For live extraction and analysis, the jp tool requires to run with administrator privileges; without doing so will restrict one to only looking at extracted change log journals. One can display the menu options by typing in the executable name with no parameters.

There are four output format options available, ranging from: (a) the default CSV output, (b) XML format, (c) Log2Timeline format and (d) Body-file format defined by the Sleuth Kit.

You can read more and download this tool over here: https://tzworks.net/prototype_page.php?proto_id=5

Share