USN Journal ($UsnJrnl:$J)
The NTFS USN Journal, formally known as the Update Sequence Number Journal, is a continuous change log that NTFS maintains for every single file system event on the volume. Every file creation, modification, rename, deletion and security change generates a small record in this journal with a precise timestamp. It is arguably the most complete and unforgiving file system activity log on a Windows machine, and it is running silently on almost every NTFS volume in production today.
Imagine a security camera that does not record video — instead it logs a one-line entry every time anyone enters or exits any room in the building, noting the room name, the person involved and the exact timestamp. The USN Journal is exactly that security camera log for your file system. Every time any file is touched, renamed or deleted, a new entry is appended. The log is so large it wraps around and overwrites old entries, but during the writable window it captures everything.
General
The USN Journal resides as a sparse data stream on every NTFS volume at $Extend\$UsnJrnl:$J. Microsoft originally designed it for file replication and backup software to efficiently discover what changed since their last check. Each record in the $J stream is a variable-length binary structure containing a USN (a monotonically increasing 64-bit offset), a timestamp, an MFT file reference, the filename and a set of reason flags describing what type of change occurred. The $J stream operates as a circular ring buffer and can hold gigabytes of compressed history. Because the USN number is strictly increasing, even entries carved from unallocated journal space can be sequenced chronologically with high confidence.
Traces
Each USN Journal entry is compact but dense with forensic value. Here are the key fields we extract:
- Filename: The name of the file or directory that was changed at this entry's moment in time.
- Timestamp: A high-resolution UTC FILETIME of when the change was recorded by NTFS.
- Reason Flags: A bitmask indicating the type of change such as FileCreate, FileDelete, DataChange, RenameOldName and RenameNewName.
- MFT File Reference: Points back to the file's MFT entry for cross-referencing with the $MFT.
- Parent MFT Reference: Points to the parent directory's MFT entry allowing directory path reconstruction.
- and more.
Forensic Use Cases
We parse the USN Journal to reconstruct detailed file system activity timelines that other artifacts cannot provide:
- Deleted File Timeline: Proving when a specific file was created and subsequently deleted within a window where the file no longer appears in the MFT.
- Rename Tracking: Recovering both the old and new filenames from paired RenameOldName and RenameNewName entries to identify file obfuscation operations.
- Malware Staging Detection: Identifying rapid bursts of file creation followed by deletion that are characteristic of a dropper or self-cleaning malware agent.
- Anti-Forensics Correlation: Detecting USN entries showing the deletion of forensic artifacts such as Prefetch files or event log files.
- and more.