USN Analytics -Tool to Analyze USN Journal

USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis. USN journal is an internal system list of the NTFS file system that contains changes to file system. The USN journal stores information about what happened to the files, without storing data.

This may help to track changes to the system when operation of rename and move is recorded. there is also possibility to bundle records to reduce the output file. the creation or modification of a prefetch file indicates program execution with the name of the application. When there is a link file creation or modification in USN journal this indicate user opened a file or folder.

USN Analytics -Tool to Analyze USN Journal
USN Analytics -Tool to Analyze USN Journal

USN Analytics is not just parser, but has the following function: 

  • It checks relevant record based on file ID, and gathers those records into one record.
  • It checks parent ID by each USN record, constructs path information and adds the informaiton
  • It presents one record for rename and move operation.
  • It creates the list of program execution history based on prefetch file creation/modification.
  • It creates the list of file open history based on lnk and ObjectID creation/modification.
  • It creates the list of potential indicator list based on peculiar extension and file name.

You can read more and download this tool over here: https://www.kazamiya.net/en/usn_analytics

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments