USN Journal
Overview
Section titled “Overview”Evidence: USN Journal
Description: Dump contents of $UsnJrnl file
Category: DiskFilesystem
Platform: windows
Short Name: usnjrn
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Update Sequence Number (USN) Journal is a feature of NTFS that provides a persistent log of all changes made to files on the volume. Each file change is assigned a unique USN and recorded with metadata including the type of change, filename, and timestamp. The journal is stored in the $UsnJrnl:$J alternate data stream.
Data Collected
Section titled “Data Collected”This collector gathers structured data about usn journal.
USN Journal Data
Section titled “USN Journal Data”| Field | Description | Example |
|---|---|---|
Type | File type | UsnJournal |
Name | File name | $UsnJrnl:$J |
SourcePath | Original path | C:$Extend$UsnJrnl:$J |
FilePath | Path in evidence | NTFSFiles/$UsnJrnl_$J |
FileSize | File size in bytes | 33554432 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $UsnJrnl:$J from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”The USN Journal provides a comprehensive timeline of file system activity including file creation, deletion, modification, and renaming. It can reveal deleted files, track file movements, and establish detailed user activity timelines. Particularly valuable for detecting data exfiltration, tracking malware activity, and reconstructing user actions over extended periods.