{"id":13698594,"url":"https://strozfriedberg.github.io/ntfs-linker/","last_synced_at":"2025-05-04T03:31:39.911Z","repository":{"id":147690514,"uuid":"45109259","full_name":"strozfriedberg/ntfs-linker","owner":"strozfriedberg","description":"An NTFS journal parser","archived":false,"fork":false,"pushed_at":"2016-03-03T22:47:43.000Z","size":7346,"stargazers_count":77,"open_issues_count":0,"forks_count":5,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-03-26T16:00:50.596Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://strozfriedberg.github.io/ntfs-linker","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/strozfriedberg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-LGPLv3.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2015-10-28T11:58:15.000Z","updated_at":"2024-03-26T16:00:50.596Z","dependencies_parsed_at":"2024-01-13T10:40:39.097Z","dependency_job_id":"89b9177a-52aa-46b7-bd26-784cbfd2d766","html_url":"https://github.com/strozfriedberg/ntfs-linker","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strozfriedberg%2Fntfs-linker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strozfriedberg%2Fntfs-linker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strozfriedberg%2Fntfs-linker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strozfriedberg%2Fntfs-linker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/strozfriedberg","download_url":"https://codeload.github.com/strozfriedberg/ntfs-linker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224383694,"owners_count":17302247,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T19:00:50.529Z","updated_at":"2024-11-13T03:31:14.620Z","avatar_url":"https://github.com/strozfriedberg.png","language":"C++","funding_links":[],"categories":["Challenges"],"sub_categories":["Windows Artifacts"],"readme":"# [NTFS-Linker](http://strozfriedberg.github.io/ntfs-linker)\nAuthor: Zack Weger\n\nCopyright (c) 2015, [Stroz Friedberg, LLC](http://www.strozfriedberg.com)\n\nStatus: Alpha\n\nLicense: [LGPLv3](LICENSE-LGPLv3.txt)\n\n## Description\nNTFS Linker uses the `$MFT`, `$LogFile`, and `$UsnJrnl` to generate a \"linked\" \nhistory of file system activity on an NTFS volume. `$LogFile` and `$UsnJrnl` track\nchanges to files and folders over time. Linking the records in these logs with \n`$MFT` allows for the construction of a timeline of activity: \ncreates, moves/renames, and deletes. NTFS Linker produces records that can \neasily be filtered to review different types of activity. In addition, \nNTFS-Linker is able to run across all Volume Shadow Copies (VSCs) on a volume, \nand produce output in a unified and deduplicated manner.\n\n\n## Usage\n```\nntfs-linker, Copyright (c) Stroz Friedberg, LLC\nVersion 0.1.1\nUsage: ntfs_linker ntfs-dir output [options] \nAllowed options:\n  --ntfs-dir arg        If no image specified, location of root directory \n                        containing input files. Otherwise, root directory in \n                        which to dump files extracted from image. See the docs \n                        for info about ntfs-dir structure.\n  --output arg          directory in which to dump output files\n  --image arg           Path to image file(s)\n  --overwrite           overwrite files in the output directory. Default: \n                        append\n  --extra               Outputs supplemental lower-level parsed data from \n                        $UsnJrnl and $LogFile\n  --help                display help and exit\n  --version             display version number and exit\n  ```\n\n\n## Output\n\nNTFS-Linker produces three TSV reports: events.txt, log.txt, and usn.txt.\n\n- log.txt: contains listing of log record headers. Does not contain the\nredo/undo operation data, so this report is of limited use.\n\n- usn.txt: contains a \"raw\" view of `$UsnJrnl` entries in more detail than \nwhat events.txt provides, including all of the Reason flags.\n\n- events.txt: contains a unified view of all file system events, as parsed from\nboth $UsnJrnl and $LogFile, ordered by event time from most recent to oldest \n(approximately--see below).\n\nNTFS-Linker _also_ produces a SQLite database containing all of the above data. \nThe database schema is designed for ease of querying, not full normalization.\n\n## Installation\nThe source is in C++ and uses autotools for building. C++11 compiler support is\nrequired. On a sane Unix, this should work:\n```\n./bootstrap.sh\n./configure\nmake\nsudo make install\n```\n\nNTFS-linker has dependencies on \n[SQLite](http://www.sqlite.org), \n[Boost](http://www.boost.org), \n[libtsk](http://www.sleuthkit.org), \n[libewf](http://github.com/libyal/libewf), \n[libbfio](http://github.com/libyal/libbfio), \n[libcerror](http://github.com/libyal/libcerror), \nand [libvshadow](http://github.com/libyal/libvshadow). The `configure` script \nshould detect these dependencies on your system and warn you if any are missing.\n\n`libewf` should be installed before building and installing `libtsk`.\n\nNote that libvshadow must be compiled with libbfio enabled, and The Sleuthkit\nmust be compiled with ` --disable-multithreading` (which is only available in\nversion 4.3).\n\nAfter installing the dependencies you may need to run:\n```\nsudo ldconfig\n```\n\nWith sufficient wizardry, NTFS-linker can be built for Windows using mingw. For \nthe impatient, prebuilt binaries can be [downloaded](https://s3.amazonaws.com/downloads.lightboxtechnologies.com/ntfs-linker/ntfs-linker-338dcc1-windows-64-static.zip).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/strozfriedberg.github.io%2Fntfs-linker%2F","html_url":"https://awesome.ecosyste.ms/projects/strozfriedberg.github.io%2Fntfs-linker%2F","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/strozfriedberg.github.io%2Fntfs-linker%2F/lists"}