USN Journal $Max

Overview

Evidence: USN Journal $Max Description: Dump Contents of $UsnJrnl:$Max Category: NTFS Platform: Windows Short Name: usnjrnmax Is Parsed: No - Raw metadata stream Sent to Investigation Hub: Yes Collect File(s): No

Background

The $UsnJrnl:$Max alternate data stream contains metadata about the USN Journal configuration, including maximum size and allocation information. It complements the $UsnJrnl:$J stream which contains the actual journal records.

Data Collected

Field

Description

Example

Type

File type

UsnJournalMax

Name

File name

$UsnJrnl:$Max

SourcePath

Original path

C:$Extend$UsnJrnl:$Max

FilePath

Path in evidence

NTFSFiles/$UsnJrnl_$Max

FileSize

File size in bytes

256

Collection Method

This collector uses kernel driver to read the $Extend\$UsnJrnl:$Max alternate data stream from each fixed NTFS drive.

Usage

USN Journal $Max provides configuration metadata for the journal. Investigators use this data to understand journal size limits, verify journal configuration, and analyze journal metadata.

Known Limitations

Only available on NTFS volumes
Very small file
Limited forensic value compared to $J stream
Requires understanding of USN Journal internals

Notes

The $Max stream is primarily for understanding USN Journal configuration. The actual forensic value is in the $J stream (USN Journal binary).

PreviousUSB Storage History NextUSN Journal (Binary)

Last updated 49 minutes ago

Was this helpful?