usnjrnl

Parses Windows $UsnJrnl files

This crate contains a library and a binary. If you only want to use the library in your crate, use default-features=false in your Cargo.toml:

ini [dependencies] usnjrnl = {version="0.3.0", default-features=false }

Installation

shell cargo install usnjrnl

Usage

usnjrnl_dump binary

``` USAGE: usnjrnl_dump [FLAGS]

FLAGS: -b, --bodyfile output as bodyfile instead of JSON -h, --help Prints help information -V, --version Prints version information

ARGS: path to $UsnJrnl:$J file (file ending with .gz will be treated as being gzipped) ```

I suggest to always correlate MFT entry numbers to entries in a real $MFT file. This can be done automatically with https://github.com/janstarke/mft2bodyfile.

usnjrnl library

```rust use usnjrnl::{UsnJrnlReader, CommonUsnRecord, UsnRecordData};

let reader = UsnJrnlReader::from("$UsnJrnl:$J")?; for entry in reader.into_iter() { match entry { Ok(e) => { println!("{}: {}", e.data.filename(), e.data.reasons(); } Err(why) => { log::error!("{}", why); } } } ```