USN Journal (Binary)

Overview

Evidence: USN Journal Description: Dump Contents of $UsnJrnl File Category: NTFS Platform: Windows Short Name: usnjrn Is Parsed: No - Raw binary journal file Sent to Investigation Hub: Yes Collect File(s): No

Background

The USN (Update Sequence Number) Journal is stored in the $Extend\$UsnJrnl:$J alternate data stream. This evidence type collects the raw binary journal file (as opposed to the parsed CSV version).

The raw USN Journal can be analyzed with specialized tools to extract additional information or verify CSV parsing results.

Data Collected

Field

Description

Example

Type

File type

UsnJournal

Name

File name

$UsnJrnl:$J

SourcePath

Original path

C:$Extend$UsnJrnl:$J

FilePath

Path in evidence

NTFSFiles/$UsnJrnl_$J

FileSize

File size in bytes

33554432

Collection Method

This collector uses kernel driver to read the $Extend\$UsnJrnl:$J alternate data stream from each fixed NTFS drive.

Usage

Raw USN Journal enables advanced analysis beyond CSV parsing. Investigators use this data for custom USN parsing, verification of CSV results, advanced timeline reconstruction, and detailed change tracking analysis.

Known Limitations

Only available on NTFS volumes
Requires driver for ADS access
Journal size is limited and wraps
Requires specialized tools to parse

Notes

This is the raw binary USN Journal, different from "USN Journal as CSV" which is the parsed version. Tools like MFTECmd or custom parsers can analyze the raw journal.

PreviousUSN Journal $Max NextUSN Journal as CSV

Last updated 46 minutes ago

Was this helpful?