USN Journal $Max

Overview

Evidence: USN Journal $Max Description: Dump Contents of $UsnJrnl:$Max Category: DiskFilesystem Platform: windows Short Name: usnjrnmax Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The $UsnJrnl:$Max stream is part of the USN Journal system and contains metadata about the journal itself, including the maximum USN value and journal configuration. While less frequently used than the $J stream, it provides important context about the journal's state and can be useful for forensic analysis.

Data Collected

This collector gathers structured data about usn journal $max.

USN Journal $Max Data

Field

Description

Example

Type

File type

UsnJournalMax

Name

File name

$UsnJrnl:$Max

SourcePath

Original path

C:$Extend$UsnJrnl:$Max

FilePath

Path in evidence

NTFSFiles/$UsnJrnl_$Max

FileSize

File size in bytes

256

Collection Method

This collector uses kernel driver NTFS raw access to read $UsnJrnl:$Max from each fixed NTFS drive.

Forensic Value

The $Max stream provides journal metadata that can help investigators understand the journal's configuration, capacity, and current state. This information is useful for determining if the journal has wrapped, identifying gaps in the timeline, and understanding the journal's retention policy.

PreviousUSN Journal NextUSN Journal as CSV

Last updated 2 days ago

Was this helpful?