usnjls − List the contents of a NTFS Update Sequence Number journal
usnjls [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images] [inode]
usnjls lists the records in a NTFS Update Sequence Number Journal. If inode is given, then it will look there for a journal. Otherwise, it will use the default location. The output lists the USN journal records.
-f fstype
Specify the file system type. Use ’−f list’ to list the supported file system types. If not given, autodetection methods are used.
-i imgtype
Identify the type of image file, such as raw or split. Use ’−i list’ to list the supported types. If not given, autodetection methods are used.
-o imgoffset
The sector offset where the file system starts in the image.
-b dev_sector_size
The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.
|
-l |
Print the output in long format describing the field values and unpacking the data into human readable strings. | ||
|
-m |
Print the output in mactime format. | ||
|
-V |
Display version | ||
|
-v |
verbose output |
image [images]
One (or more if split) disk or partition images whose format is given with ’−i’.
[inode]
The inode where the Update Sequence Number Journal can be found.
usnjls −f ntfs img.dd
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>