Back to binalyze.com

USN Journal as CSV

Overview

Evidence: USN Journal as CSV Description: Parse USN Journal Entries in CSV Format Category: NTFS Platform: Windows Short Name: usncsv Is Parsed: Yes - USN records are parsed into CSV format Sent to Investigation Hub: Yes Collect File(s): No

Background

The Update Sequence Number (USN) Journal is an NTFS feature that logs all changes made to files and directories on a volume. Every file system operation (create, delete, modify, rename) generates a USN record.

The USN Journal provides a comprehensive timeline of file system activity and can track changes that occurred before the system acquisition. It's particularly valuable for detecting file manipulation, identifying deleted files, and reconstructing attacker activity.

Data Collected

Field
Description
Example

FileName

File or directory name

document.docx

UpdateSequenceNumber

Unique sequence number

123456789

UpdateDateTime

When the change occurred

2023-10-15T14:30:00Z

UpdateReasonFlags

Type of change

FILE_CREATE+DATA_EXTEND

MftFileReference

MFT entry number

12345

MftFileReferenceSequence

MFT sequence number

1

MftParentFileReference

Parent directory MFT entry

5

MftParentFileReferenceSequence

Parent sequence number

1

FileAttributeFlags

File attributes

READ_ONLY+ARCHIVE

UpdateSourceFlags

Source of update

DATA_MANAGEMENT

Collection Method

This collector:

  • Reads the USN Journal from all fixed NTFS drives

  • Parses each USN record using NtfsEnumerateUSNEntries

  • Exports records to CSV format

  • Converts reason flags, source flags, and attribute flags to human-readable format

Update Reason Flags include: DATA_OVERWRITE, DATA_EXTEND, FILE_CREATE, FILE_DELETE, RENAME_OLD_NAME, RENAME_NEW_NAME, SECURITY_CHANGE, and many others.

Usage

The USN Journal provides unparalleled visibility into file system activity and is essential for timeline reconstruction. Investigators use this data to reconstruct complete file activity timelines, detect mass file deletions or encryption (ransomware), identify file renaming operations, track file modifications by timestamp, detect data staging for exfiltration, identify temporary file usage, and correlate file system changes with other events.

Known Limitations

  • Journal size is limited (older entries are purged)

  • Can be cleared by users with appropriate privileges

  • Only available on NTFS volumes

  • Only records metadata changes, not content

  • Journal may wrap and lose old entries

Notes

The USN Journal is extremely valuable for ransomware investigations as it captures the mass file modification/renaming operations. Reason flags like RENAME_NEW_NAME followed by DATA_OVERWRITE can indicate file encryption.

PreviousUSN Journal (Binary)NextUal

Last updated

Was this helpful?