Crates.io | usnjrnl |
lib.rs | usnjrnl |
version | 0.4.5 |
source | src |
created_at | 2021-10-20 13:44:42.806642 |
updated_at | 2023-05-08 12:05:21.139779 |
description | parses a $UsnJrnl file |
homepage | https://www.github.com/janstarke/usnjrnl |
repository | |
max_upload_size | |
id | 467923 |
size | 120,970 |
usnjrnl
Parses Windows $UsnJrnl files
This crate contains a library and a binary. If you only want to use the library in your crate, use default-features=false
in your Cargo.toml
:
[dependencies]
usnjrnl = {version="0.3.0", default-features=false }
cargo install usnjrnl
usnjrnl_dump
binaryUSAGE:
usnjrnl_dump [FLAGS] <USNJRNL_FILE>
FLAGS:
-b, --bodyfile output as bodyfile instead of JSON
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<USNJRNL_FILE> path to $UsnJrnl:$J file (file ending with .gz will be treated as being gzipped)
I suggest to always correlate MFT entry numbers to entries in a real $MFT
file. This can be done automatically with https://github.com/janstarke/mft2bodyfile.
usnjrnl
libraryuse usnjrnl::{UsnJrnlReader, CommonUsnRecord, UsnRecordData};
let reader = UsnJrnlReader::from("$UsnJrnl:$J")?;
for entry in reader.into_iter() {
match entry {
Ok(e) => {
println!("{}: {}",
e.data.filename(),
e.data.reasons();
}
Err(why) => {
log::error!("{}", why);
}
}
}