SecurityRonin

SecurityRonin / usnjrnl-forensic

Public

The most comprehensive NTFS USN Journal parser: full path reconstruction (CyberCX Rewind), TriForce correlation (MFT + LogFile + UsnJrnl), ghost record recovery, anti-forensics detection, timestomping detection, USN carving, and more.

dfir forensics incident-response mft ntfs
18
0
100% credibility
Found Mar 10, 2026 at 18 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

A forensics tool that rapidly analyzes Windows disk images to produce interactive HTML reports answering incident response questions and revealing file activity timelines.

How It Works

1
🔍 Discover a fast forensics helper

You hear about a tool that quickly analyzes file changes on Windows disks to spot incidents.

2
📥 Get the tool ready

Download and set it up on your computer in moments—no complicated steps.

3
💾 Pick your disk snapshot

Choose the evidence file from your case, like a captured hard drive image.

4
🚀 Launch the analysis

Run one simple command pointing to your file, and in 30 seconds it finishes everything.

5
🌐 Open the webpage report

Click to view a beautiful, self-contained webpage right in your browser.

6
📖 Read the story summary

See instant answers to 12 key questions like 'Was malware dropped?' with matching evidence.

Share insights with your team

Hand the report to your incident commander—timeline, detections, and recovered deletions all ready.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 18 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is usnjrnl-forensic?

usnjrnl-forensic is a Rust CLI tool that parses NTFS USN Journals from E01 or raw disk images, reconstructing full file paths and timelines even for deleted records via techniques like journal rewind and unallocated carving. Feed it an image with `usnjrnl-forensic --image evidence.E01 --carve-unallocated --report triage.html`, and in 35 seconds you get a browser-ready HTML report with a "Story" tab answering 12 IR questions—was malware present? Evidence destroyed?—plus an "Explore" tab for searching 50k+ records. Outputs also include CSV, SQLite, JSONL, and TLN for chaining into mactime or log2timeline.

Why is it gaining traction?

It outshines MFTECmd, dfir_ntfs, and others as the most comprehensive usnjrnl forensic parser, correlating four NTFS artifacts (USN + MFT + LogFile + MFTMirr) for ghost recovery, timestomping detection, and ransomware patterns no competitor matches fully. Users get zero "UNKNOWN" paths, parallel processing for huge journals, and ReFS support in a single binary—faster and more complete than Python alternatives. Like the most comprehensive blood test for disk artifacts, it uncovers what others miss without manual stitching.

Who should use this?

DFIR analysts triaging Windows E01s for breach timelines, incident responders spotting anti-forensics like journal clears in ransomware cases, or forensic examiners carving USN records from unallocated space during IR. Ideal for CTF solvers or teams processing live journals via monitoring mode.

Verdict

Strong pick for usnjrnl forensics niches—cargo install delivers polished CLI and library with 483 tests and validation docs. 18 stars and 1.0% credibility score signal early maturity, but feature depth and cross-platform Rust make it production-ready over fragmented alternatives.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.