USN Journal as CSV
Overview
Section titled “Overview”Evidence: USN Journal as CSV
Description: Parse USN Journal Entries in CSV Format
Category: DiskFilesystem
Platform: windows
Short Name: usncsv
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The Update Sequence Number (USN) Journal is an NTFS feature that logs all changes made to files and directories on a volume. Every file system operation (create, delete, modify, rename) generates a USN record.
The USN Journal provides a comprehensive timeline of file system activity and can track changes that occurred before the system acquisition. It’s particularly valuable for detecting file manipulation, identifying deleted files, and reconstructing attacker activity.
Data Collected
Section titled “Data Collected”This collector gathers structured data about usn journal as csv.
USN Journal as CSV Data
Section titled “USN Journal as CSV Data”| Field | Description | Example |
|---|---|---|
FileName | File or directory name | document.docx |
UpdateSequenceNumber | Unique sequence number | 123456789 |
UpdateDateTime | When the change occurred | 2023-10-15T14:30:00Z |
UpdateReasonFlags | Type of change | FILE_CREATE+DATA_EXTEND |
MftFileReference | MFT entry number | 12345 |
MftFileReferenceSequence | MFT sequence number | 1 |
MftParentFileReference | Parent directory MFT entry | 5 |
MftParentFileReferenceSequence | Parent sequence number | 1 |
FileAttributeFlags | File attributes | READ_ONLY+ARCHIVE |
UpdateSourceFlags | Source of update | DATA_MANAGEMENT |
Collection Method
Section titled “Collection Method”This collector:
- Reads the USN Journal from all fixed NTFS drives
- Parses each USN record using
NtfsEnumerateUSNEntries - Exports records to CSV format
- Converts reason flags, source flags, and attribute flags to human-readable format
Update Reason Flags include: DATA_OVERWRITE, DATA_EXTEND, FILE_CREATE, FILE_DELETE, RENAME_OLD_NAME, RENAME_NEW_NAME, SECURITY_CHANGE, and many others.
Forensic Value
Section titled “Forensic Value”The USN Journal provides unparalleled visibility into file system activity and is essential for timeline reconstruction. Investigators use this data to reconstruct complete file activity timelines, detect mass file deletions or encryption (ransomware), identify file renaming operations, track file modifications by timestamp, detect data staging for exfiltration, identify temporary file usage, and correlate file system changes with other events.