A tool to trim a USN Journal file extracted by other tools.
This tools starts at the end of the USN Journal file and works its way back by searching for the start of the USN record buffer. For more on how USN records are stored see:? https://technet.microsoft.com/en-us/library/cc788042(v=ws.11).aspx.
Why does it start from the end and work itself back? This is because the record area will always be at the end of the file and when you have a many gig USN Journal, its faster to start at the end then work your way though many gigs of 0x00s.
Be the first to review this listing!
© 2019 Copyright | DFIR Training