USN Journal

Overview

Evidence: USN Journal as CSV Description: Parse USN Journal Entries in CSV Format Category: DiskFilesystem Platform: windows Short Name: usncsv Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Update Sequence Number (USN) Journal is an NTFS feature that logs all changes made to files and directories on a volume. Every file system operation (create, delete, modify, rename) generates a USN record.

The USN Journal provides a comprehensive timeline of file system activity and can track changes that occurred before the system acquisition. It's particularly valuable for detecting file manipulation, identifying deleted files, and reconstructing attacker activity.

Data Collected

This collector gathers structured data about usn journal as csv.

USN Journal as CSV Data

Collection Method

This collector:

• Reads the USN Journal from all fixed NTFS drives

• Parses each USN record using NtfsEnumerateUSNEntries

• Exports records to CSV format

• Converts reason flags, source flags, and attribute flags to human-readable format

Update Reason Flags include: DATA_OVERWRITE, DATA_EXTEND, FILE_CREATE, FILE_DELETE, RENAME_OLD_NAME, RENAME_NEW_NAME, SECURITY_CHANGE, and many others.

Forensic Value

The USN Journal provides unparalleled visibility into file system activity and is essential for timeline reconstruction. Investigators use this data to reconstruct complete file activity timelines, detect mass file deletions or encryption (ransomware), identify file renaming operations, track file modifications by timestamp, detect data staging for exfiltration, identify temporary file usage, and correlate file system changes with other events.