Does Sleuth Kit / Autopsy allow recovery of the complete $UsnJrnl artifacts for a volume? I haven’t noted a specific category or selection for this.
There is a 3rd party module that will parse the $UsnJ file. You can find it here. Depending on how big your $UsnJ file is it may take a while to run. If you have any questions/problems with it you can DM me. Autopsy-Plugins/Parse_USNJ at master · markmckinnon/Autopsy-Plugins (github.com)
Thanks, just what I was looking for.
RB
Hello @Mark_McKinnon,
I stumbled upon your response to the question in this thread. Unfortunately I’m having issues in running your mentioned plugin. I downloaded it from GitHub and made it available in my Autopsy-installation (v. 4.19.3).
When I activate it for ingest, everything looks fine and I get no error-messages. But I don’t get results either.
Hopefully you have a hint for me. Of course it is also possible, that I am missing something and everything is working fine…
Thank you in advance!