USN Journal $Max
Overview
Section titled “Overview”Evidence: USN Journal $Max
Description: Dump Contents of $UsnJrnl:$Max
Category: DiskFilesystem
Platform: windows
Short Name: usnjrnmax
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The $UsnJrnl:$Max stream is part of the USN Journal system and contains metadata about the journal itself, including the maximum USN value and journal configuration. While less frequently used than the $J stream, it provides important context about the journal’s state and can be useful for forensic analysis.
Data Collected
Section titled “Data Collected”This collector gathers structured data about usn journal $max.
USN Journal $Max Data
Section titled “USN Journal $Max Data”| Field | Description | Example |
|---|---|---|
Type | File type | UsnJournalMax |
Name | File name | $UsnJrnl:$Max |
SourcePath | Original path | C:$Extend$UsnJrnl:$Max |
FilePath | Path in evidence | NTFSFiles/$UsnJrnl_$Max |
FileSize | File size in bytes | 256 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $UsnJrnl:$Max from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”The $Max stream provides journal metadata that can help investigators understand the journal’s configuration, capacity, and current state. This information is useful for determining if the journal has wrapped, identifying gaps in the timeline, and understanding the journal’s retention policy.