carve_usn

Plugin

ArgDescriptionType
deviceThe device file to open.OSPath
image_filenameA raw image to open. You can also provide the accessor if using a raw image file.OSPath
accessorThe accessor to use.string
mft_filenameA path to a raw $MFT file to use for path resolution.OSPath
usn_filenameA path to a raw USN file to carve. If not provided we carve the image file or the device.OSPath

Required permissions:FILESYSTEM_READ

Description

Carve for the USN journal entries from a device.

In practice the USN journal is set to roll over fairly quickly (default size is usually 32Mb). On busy systems this will lead to loss of valuable information.

This plugin carves the raw device for USN entries. Usual caveats apply for all carved data, however this will often recover entries from a long time before the roll over.

This plugin can take a long time!

Example

SELECT * FROM carve_usn(device='''\\.\C:''')