JournalTrace
Description: A graphical user interface (GUI) tool developed by Spokwn for parsing and viewing NTFS USN Journal entries ($UsnJrnl:$J data stream). It provides specific event names and advanced filtering capabilities, offering a more detailed analysis compared to some simpler viewers.
Features:
Parses and displays USN Journal entries from selected NTFS volumes.
Clearly displays event reason codes (e.g.,
FileDelete,Rename_New_Name,BasicInfoChange,Data_Overwrite).Supports advanced filtering within columns using specific operators:
Inclusions (
&&): Match multiple conditions (e.g.,name:rundll32&&.pf).Exclusions (
!!): Exclude specific values (e.g.,name:.exe!!svchost).OR Conditions (
||): Match one of several conditions (e.g.,name:.exe||.dll).Multi-Column Filters (
;): Filter across columns simultaneously (e.g.,name:.pf;reason:delete). Column name prefix is optional if using operators.
Utilizes an
OpenByFileIdwrapper to resolve file identifiers that might otherwise be unreadable.Based on StCroixSkippers' C# wrapper for the UsnJournal Win32 API.
Usage: Essential for detailed analysis of file system activity history. Its advanced filtering allows precise tracking of file creations, deletions, renames, attribute modifications (like Read-Only or Timestomping via BasicInfoChange), and data changes (like Hex Editing via DataOverwrite), crucial for reconstructing activity and detecting bypass attempts.
License: GNU General Public License v3.0.
Link: https://github.com/spokwn/JournalTrace/releases
Last updated