< Back
Get-ForensicUsnJrnlInformation
Post
NAME Get-ForensicUsnJrnlInformation
SYNOPSIS
Gets metadata about the specified volume's $UsnJrnl.
SYNTAX
Get-ForensicUsnJrnlInformation [[-VolumeName] <String>] [-AsBytes <SwitchParameter>] [<CommonParameters>]
Get-ForensicUsnJrnlInformation -Path <String> [-AsBytes <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicUsnJrnlInformation cmdlet parses the $UsnJrnl file's $MAX data stream and returns metadata about
the UsnJrnl configuration.
By default, this cmdlet parses the $UsnJrnl file on the C:\\ drive. To specify a drive, use the
VolumeName parameter. To specify an exported $UsnJrnl file, use the Path parameter.
You can also use the AsBytes parameter to get the metadata in byte format.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-AsBytes [<SwitchParameter>]
Returns the $UsnJrnl $Max data stream as byte array instead of as a UsnJrnlDetail object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
PowerForensics.Ntfs.UsnJrnlDetail
System.Byte
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicUsnJrnlInformation
MaxSize AllocationDelta UsnId
------- --------------- -----
33554432 8388608 130547872109887937
This command gets metadata about the $UsnJrnl on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicUsnJrnlInformation -Path C:\\evidence\\UsnJrnl
MaxSize AllocationDelta UsnId
------- --------------- -----
33554432 8388608 130547872109887937
This command gets metadata about the $UsnJrnl on an exported UsnJrnl file.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-UsnJrnlInformation -AsBytes | Format-ForensicHex
Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii
------ ------------------------------------------------ -----
0x00000000 00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................
0x00000010 C1 01 4B 17 99 CC CF 01 00 00 00 00 00 00 00 00 ..K.............
This command gets the gets metadata about the $Max data stream as a byte array.
RELATED LINKS
SYNOPSIS
Gets metadata about the specified volume's $UsnJrnl.
SYNTAX
Get-ForensicUsnJrnlInformation [[-VolumeName] <String>] [-AsBytes <SwitchParameter>] [<CommonParameters>]
Get-ForensicUsnJrnlInformation -Path <String> [-AsBytes <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicUsnJrnlInformation cmdlet parses the $UsnJrnl file's $MAX data stream and returns metadata about
the UsnJrnl configuration.
By default, this cmdlet parses the $UsnJrnl file on the C:\\ drive. To specify a drive, use the
VolumeName parameter. To specify an exported $UsnJrnl file, use the Path parameter.
You can also use the AsBytes parameter to get the metadata in byte format.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-AsBytes [<SwitchParameter>]
Returns the $UsnJrnl $Max data stream as byte array instead of as a UsnJrnlDetail object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
PowerForensics.Ntfs.UsnJrnlDetail
System.Byte
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicUsnJrnlInformation
MaxSize AllocationDelta UsnId
------- --------------- -----
33554432 8388608 130547872109887937
This command gets metadata about the $UsnJrnl on the C:\\ logical volume.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicUsnJrnlInformation -Path C:\\evidence\\UsnJrnl
MaxSize AllocationDelta UsnId
------- --------------- -----
33554432 8388608 130547872109887937
This command gets metadata about the $UsnJrnl on an exported UsnJrnl file.
-------------------------- EXAMPLE 3 --------------------------
[ADMIN]: PS C:\\>Get-UsnJrnlInformation -AsBytes | Format-ForensicHex
Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii
------ ------------------------------------------------ -----
0x00000000 00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................
0x00000010 C1 01 4B 17 99 CC CF 01 00 00 00 00 00 00 00 00 ..K.............
This command gets the gets metadata about the $Max data stream as a byte array.
RELATED LINKS