File System Journal

Does Sleuth Kit / Autopsy allow recovery of the complete $UsnJrnl artifacts for a volume? I haven’t noted a specific category or selection for this.

There is a 3rd party module that will parse the $UsnJ file. You can find it here. Depending on how big your $UsnJ file is it may take a while to run. If you have any questions/problems with it you can DM me. Autopsy-Plugins/Parse_USNJ at master · markmckinnon/Autopsy-Plugins (github.com)

Thanks, just what I was looking for.

RB

Hello @Mark_McKinnon,

I stumbled upon your response to the question in this thread. Unfortunately I’m having issues in running your mentioned plugin. I downloaded it from GitHub and made it available in my Autopsy-installation (v. 4.19.3).

When I activate it for ingest, everything looks fine and I get no error-messages. But I don’t get results either.

Hopefully you have a hint for me. Of course it is also possible, that I am missing something and everything is working fine…

Thank you in advance!