{ "info": { "author": "Adam Witt", "author_email": "accidentalassist@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Intended Audience :: Information Technology", "License :: OSI Approved :: Apache Software License", "Topic :: Security" ], "description": "USN-Record-Carver\n===================== \nPython script to carve NTFS USN records from arbitrary binary data\n\nDescription\n-------------\nThe NTFS USN Change journal is a volume-specific log which records metadata changes to files. It is a treasure trove of information during a forensic investigation. As the change journal reaches its maximum size, clusters of the journal's disk space are marked unallocated by the operating system to be used when needed at a later time. As with many other artifacts, USN change journal records in unallocated space can be extremely valuable. Better yet, due to the compact nature of change journal records, I routinely find millions of records outside of the file system's allocated clusters.\n\nThis script will carve NTFS USN journal records from arbitrary binary data, and output to a file in binary format. The investigator can then parse these records with a tool of their own choosing. At this time the script only supports raw/dd input files.\n\nUsage and Output\n--------------------\nSimply specify the input and output files:\n\n::\n\n dev@computer:$ python usncarve.py -f file.raw -o usn.raw\n\nCommand-Line Options\n-----------------------\n\n::\n\n usage: usncarve.py [-h] -f FILE -o OUTFILE\n\n optional arguments:\n -h, --help show this help message and exit\n -f FILE, --file FILE Carve USN records from the given file\n -o OUTFILE, --outfile OUTFILE\n Output to the given file\n\n\nInstallation \n--------------\nUsing setup.py:\n\n::\n \n python setup.py install\n \nUsing pip:\n\n::\n \n pip install usncarve\n\n+----------------------------------------------------------------------------------------+\n| Travis-CI |\n+========================================================================================+\n| .. image:: https://travis-ci.org/PoorBillionaire/USN-Record-Carver.svg?branch=master |\n| :target: https://travis-ci.org/PoorBillionaire/USN-Record-Carver |\n+----------------------------------------------------------------------------------------+", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/PoorBillionaire/USN-Record-Carver", "keywords": "DFIR NTFS USN Carve Forensics Incident Response Microsoft Windows", "license": "Apache Software License", "maintainer": null, "maintainer_email": null, "name": "usncarve", "package_url": "https://pypi.org/project/usncarve/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/usncarve/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/PoorBillionaire/USN-Record-Carver" }, "release_url": "https://pypi.org/project/usncarve/1.2.2/", "requires_dist": null, "requires_python": null, "summary": "A Python script to carve NTFS USN journal records from binary data", "version": "1.2.2" }, "last_serial": 2889366, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "394afb0fa5fdd6567d3680a961e8b79f", "sha256": "682cb1cb673a3a8968c8c4d8aafc86ce9ddcdc862a7b6e5889efbeb54301df70" }, "downloads": -1, "filename": "usncarve-1.0.0.tar.gz", "has_sig": false, "md5_digest": "394afb0fa5fdd6567d3680a961e8b79f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2594, "upload_time": "2017-04-26T22:01:24", "url": "https://files.pythonhosted.org/packages/d2/e8/65cc1e6ab37e687557153b91d9909d599b99e296445baf18ad0a88396e48/usncarve-1.0.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "f593f2d56eaec7192ff3361d5b03544f", "sha256": "673118ad7d2296a1ce16ca1d1390601e39326c8b40b2aa71585cb4e517f66da7" }, "downloads": -1, "filename": "usncarve-1.0.1.tar.gz", "has_sig": false, "md5_digest": "f593f2d56eaec7192ff3361d5b03544f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2773, "upload_time": "2017-05-21T20:40:59", "url": "https://files.pythonhosted.org/packages/b6/78/17dff1b347e5892b2978bb31074d5297f42160f7356dc59212f40f3f3428/usncarve-1.0.1.tar.gz" } ], "1.2.0": [ { "comment_text": "", "digests": { "md5": "6c0a1421e2829681caf3a052a96397be", "sha256": "be46183075a2c7cf5497858e155eaefd3f41e322a9d5b0e9e4c2dc4281205736" }, "downloads": -1, "filename": "usncarve-1.2.0.tar.gz", "has_sig": false, "md5_digest": "6c0a1421e2829681caf3a052a96397be", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2773, "upload_time": "2017-05-21T20:43:54", "url": "https://files.pythonhosted.org/packages/09/7f/3a80194075ef3e9e16994e14be402a92da099de7b44859f4bb97dfca227f/usncarve-1.2.0.tar.gz" } ], "1.2.1": [ { "comment_text": "", "digests": { "md5": "3ad3c91315ba66a7049a5b45c3834762", "sha256": "89b259fa907f47fc4a8ab84ecf667ac2158235f5e8597177872710236d2e8bcf" }, "downloads": -1, "filename": "usncarve-1.2.1.tar.gz", "has_sig": false, "md5_digest": "3ad3c91315ba66a7049a5b45c3834762", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2773, "upload_time": "2017-05-21T20:44:57", "url": "https://files.pythonhosted.org/packages/be/70/fe368238477cfb451d30ebd814b8e8a29fd35aa3f034e8a8159d46506675/usncarve-1.2.1.tar.gz" } ], "1.2.2": [ { "comment_text": "", "digests": { "md5": "1661045059c9f45a81178e154fbefd07", "sha256": "fa566a81b2a735cad54df1def9f9bb8f84da560b30a47d49e54f81b8f794fa3c" }, "downloads": -1, "filename": "usncarve-1.2.2.tar.gz", "has_sig": false, "md5_digest": "1661045059c9f45a81178e154fbefd07", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2776, "upload_time": "2017-05-21T20:47:02", "url": "https://files.pythonhosted.org/packages/80/ae/db6ae24e22b2355e923ac83601c6c8c3c40bd1bcc2858556680cf9861f86/usncarve-1.2.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "1661045059c9f45a81178e154fbefd07", "sha256": "fa566a81b2a735cad54df1def9f9bb8f84da560b30a47d49e54f81b8f794fa3c" }, "downloads": -1, "filename": "usncarve-1.2.2.tar.gz", "has_sig": false, "md5_digest": "1661045059c9f45a81178e154fbefd07", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 2776, "upload_time": "2017-05-21T20:47:02", "url": "https://files.pythonhosted.org/packages/80/ae/db6ae24e22b2355e923ac83601c6c8c3c40bd1bcc2858556680cf9861f86/usncarve-1.2.2.tar.gz" } ] }