Windows Journal Parser (jp)

jp is short for Journal Parser and is a command line implementation of a parser that will extract NTFS change log entries from a live Windows system.

The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.

The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc. and therefore makes a useful tool when looking at a computer forensically.

Microsoft provides tools to look/affect the change journal as well as a published API to programmatically read/write from/to the change log. jp however, does not make use of the Windows API, but does the parsing by traversing the raw structures. This allows jp to be compiled for use on other operating systems to parse the change log journal as a component in a forensic toolkit.