Filter file with usnjournal
186 views
Skip to first unread message
Mari DeGrazia
Aug 9, 2016, 12:58:23 PM8/9/16
to log2timeline-discuss
Hello,
I'm so excited log2timeline now supports the Usn Journal! Please forgive me if I am overlooking something simple - I am trying to parse the Usn Journal in a triage type situation. I would like to parse the $J along with a handful of other artifacts. I am using the -f option with a filter file.
What entries do I need to make in the filter file to use with the usnjrnl parser?
The syntax I am using is: log2timeline.exe --parsers "usnjrnl" -f filter_windows.txt test.plaso test.e01
I am using the filter file included in the plaso /data folder which include the following entries:
/[$]MFT
/[$]LogFile
/[$]Extend/$UsnJrnl
So far, the only way I have gotten it to work is to remove the -f argument and just supply the plugin:
log2timeline.exe --parsers "usnjrnl" plaso.dump test.e01
I know I am probably missing something simple here.....
I am using plaso-1.4.0-win-amd64-vs2010
Thanks!
I'm so excited log2timeline now supports the Usn Journal! Please forgive me if I am overlooking something simple - I am trying to parse the Usn Journal in a triage type situation. I would like to parse the $J along with a handful of other artifacts. I am using the -f option with a filter file.
What entries do I need to make in the filter file to use with the usnjrnl parser?
The syntax I am using is: log2timeline.exe --parsers "usnjrnl" -f filter_windows.txt test.plaso test.e01
I am using the filter file included in the plaso /data folder which include the following entries:
/[$]MFT
/[$]LogFile
/[$]Extend/$UsnJrnl
So far, the only way I have gotten it to work is to remove the -f argument and just supply the plugin:
log2timeline.exe --parsers "usnjrnl" plaso.dump test.e01
I know I am probably missing something simple here.....
I am using plaso-1.4.0-win-amd64-vs2010
Thanks!
Jeff
Aug 9, 2016, 1:57:13 PM8/9/16
to Mari DeGrazia, log2timeline-discuss
Mari,
Have you tried the filter adding the J file in the path for the text file?
Technically the UsnJrnl is an ADS (Alternate Data Stream) file and it may be seeing it as 2 files versus one. The filter is looking for the specific file $UsnJrnl vs $UsnJrnl\$J
Cheers - Jeff
--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.
To post to this group, send email to log2timeline-discuss@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mari DeGrazia
Aug 9, 2016, 2:15:54 PM8/9/16
to Jeff, log2timeline-discuss
Jeff,
I had thought of the same thing and tried the following syntax in the filter file - still with no luck:/[$]Extend/$UsnJrnl/$J
/[$]Extend/$UsnJrnl:$J
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsubscrib...@googlegroups.com.
Joachim Metz
Aug 9, 2016, 2:20:16 PM8/9/16
to Mari DeGrazia, Jeff, log2timeline-discuss
> /[$]Extend/$UsnJrnl
1. Try escaping the $, since it has a special meaning in a regex e.g. /[$]Extend/[$]UsnJrnl
2. I don't think ADS : notation is supported by the filter files, also how would you distinguish between a file that has a : in the file name?
3. $LogFile is currently not supported by plaso
4. I think we only support usnjrnl on storage media images
5. best option you currently have is:
log2timeline.exe --parsers "mft,usnjrnl" storage.plaso test.e01
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.
Mari DeGrazia
Aug 10, 2016, 12:18:25 AM8/10/16
to Joachim Metz, Jeff, log2timeline-discuss
Thanks for the answers.
I tried escaping the $, and no luck. It seems number 5 is the way to go.@MariDeGrazia
Reply all
Reply to author
Forward
0 new messages