< Back
Get-ForensicUsnJrnl
Post
NAME Get-ForensicUsnJrnl
SYNOPSIS
Gets the UsnJrnl entries from the specified volume.
SYNTAX
Get-ForensicUsnJrnl [[-VolumeName] <String>] [-Usn <UInt64>] [<CommonParameters>]
Get-ForensicUsnJrnl -Path <String> [-Usn <UInt64>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicUsnJrnl cmdlet parses the $UsnJrnl file's $J data stream to return UsnJrnl entries. If you do not
specify a Usn (Update Sequence Number), it returns all entries in the $UsnJrnl.
The $UsnJrnl file maintains a record of all file system operations that have occurred. Because the file is
circular, entries are overwritten.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Usn [<UInt64>]
The Update Sequence Number of the record to return.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
PowerForensics.Ntfs.UsnJrnl
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>$usn = Get-ForensicUsnJrnl
This command gets the file system operations on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>$r = Get-ForensicFileRecord C:\\temp\\helloworld.txt
PS C:\\> $r.Attribute[0].UpdateSequenceNumber
713538320
PS C:\\> Get-ForensicUsnJrnl -Usn $r.Attribute[0].UpdateSequenceNumber
VolumePath : \\\\.\\C:
Version : 2.0
RecordNumber : 132245
FileSequenceNumber : 52
ParentFileRecordNumber : 191621
ParentFileSequenceNumber : 59
Usn : 713538320
TimeStamp : 11/17/2015 10:02:56 PM
Reason : DATA_EXTEND, FILE_CREATE, CLOSE
SourceInfo : 0
SecurityId : 0
FileAttributes : ARCHIVE
FileName : helloworld.txt
This example uses Get-ForensicFileRecord and Get-UsnJrnl to get the UsnJrnl entries in the helloworld.txt file.
The first command gets the file record entries in the helloworld.txt files. The second command gets the USN of the
first attribute in the Ntfs.FileRecord object that Get-ForensicFileRecord returns.
The third command uses ForensicUsnJrnl to get the UsnJrnl record for the USN.
shows Get-UsnJrnl being used to get a specific UsnJrnl entry. A file's most recent entry number can be
found in its FileRecord's $STANDARD_INFORMATION attribute.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-UsnJrnl -Path C:\\evidence\\UsnJrnl
This command get the UsnJrnl record of an exported UsnJrnl file.
RELATED LINKS
SYNOPSIS
Gets the UsnJrnl entries from the specified volume.
SYNTAX
Get-ForensicUsnJrnl [[-VolumeName] <String>] [-Usn <UInt64>] [<CommonParameters>]
Get-ForensicUsnJrnl -Path <String> [-Usn <UInt64>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicUsnJrnl cmdlet parses the $UsnJrnl file's $J data stream to return UsnJrnl entries. If you do not
specify a Usn (Update Sequence Number), it returns all entries in the $UsnJrnl.
The $UsnJrnl file maintains a record of all file system operations that have occurred. Because the file is
circular, entries are overwritten.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Usn [<UInt64>]
The Update Sequence Number of the record to return.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
PowerForensics.Ntfs.UsnJrnl
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>$usn = Get-ForensicUsnJrnl
This command gets the file system operations on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>$r = Get-ForensicFileRecord C:\\temp\\helloworld.txt
PS C:\\> $r.Attribute[0].UpdateSequenceNumber
713538320
PS C:\\> Get-ForensicUsnJrnl -Usn $r.Attribute[0].UpdateSequenceNumber
VolumePath : \\\\.\\C:
Version : 2.0
RecordNumber : 132245
FileSequenceNumber : 52
ParentFileRecordNumber : 191621
ParentFileSequenceNumber : 59
Usn : 713538320
TimeStamp : 11/17/2015 10:02:56 PM
Reason : DATA_EXTEND, FILE_CREATE, CLOSE
SourceInfo : 0
SecurityId : 0
FileAttributes : ARCHIVE
FileName : helloworld.txt
This example uses Get-ForensicFileRecord and Get-UsnJrnl to get the UsnJrnl entries in the helloworld.txt file.
The first command gets the file record entries in the helloworld.txt files. The second command gets the USN of the
first attribute in the Ntfs.FileRecord object that Get-ForensicFileRecord returns.
The third command uses ForensicUsnJrnl to get the UsnJrnl record for the USN.
shows Get-UsnJrnl being used to get a specific UsnJrnl entry. A file's most recent entry number can be
found in its FileRecord's $STANDARD_INFORMATION attribute.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-UsnJrnl -Path C:\\evidence\\UsnJrnl
This command get the UsnJrnl record of an exported UsnJrnl file.
RELATED LINKS