USN Journal as CSV

Overview

Evidence: USN Journal Description: Dump contents of $UsnJrnl file Category: DiskFilesystem Platform: windows Short Name: usnjrn Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Update Sequence Number (USN) Journal is a feature of NTFS that provides a persistent log of all changes made to files on the volume. Each file change is assigned a unique USN and recorded with metadata including the type of change, filename, and timestamp. The journal is stored in the $UsnJrnl:$J alternate data stream.

Data Collected

This collector gathers structured data about usn journal.

USN Journal Data

Field

Description

Example

Type

File type

UsnJournal

Name

File name

$UsnJrnl:$J

SourcePath

Original path

C:$Extend$UsnJrnl:$J

FilePath

Path in evidence

NTFSFiles/$UsnJrnl_$J

FileSize

File size in bytes

33554432

Collection Method

This collector uses kernel driver NTFS raw access to read $UsnJrnl:$J from each fixed NTFS drive.

Forensic Value

The USN Journal provides a comprehensive timeline of file system activity including file creation, deletion, modification, and renaming. It can reveal deleted files, track file movements, and establish detailed user activity timelines. Particularly valuable for detecting data exfiltration, tracking malware activity, and reconstructing user actions over extended periods.

PreviousUSN Journal $Max NextVIPRE Logs

Last updated 3 days ago

Was this helpful?