USN Journal ($UsnJrnl)

The Update Sequence Number (USN) Journal, also known as the Change Journal, is an integral feature of the NTFS file system. It functions as a high-performance, chronological log that meticulously records changes made to files and directories on a volume. Its primary system purpose is to provide a fast and efficient way for applications (like indexing services, backup software, or replication engines) to track file system modifications without needing to scan the entire disk.

From a DFIR perspective, the USN Journal is one of the most powerful artifacts available. It provides a detailed, time-stamped history of file system activity, often revealing actions—especially deletions and renames—that other artifacts might miss.

Location and Structure

The USN Journal's data is stored within a hidden NTFS metadata file, typically inaccessible via standard interfaces.

  • Location: C:\$Extend\$UsnJrnl

The crucial log data resides within an Alternate Data Stream (ADS) of this metafile named $J. The Journal itself is a log of variable-length records, each identified by a monotonically increasing 64-bit Update Sequence Number (USN).

When the Journal reaches its configured maximum size, it operates in a circular fashion, overwriting the oldest records with new ones. This means the time span covered by the Journal depends heavily on disk activity levels and its allocated size.

Stored Metadata

Each entry, or USN Record, within the $J stream documents a specific change event and contains a wealth of forensic information:

  • Timestamp: A high-precision timestamp indicating exactly when the event occurred.

  • Filename: The name of the file or directory that was affected by the change.

  • File Reference Number (FRN): A unique identifier that links the record to the file's entry in the Master File Table (MFT). The Parent FRN is also logged, linking the file to its parent directory.

  • Reason Code: A bitmask flag that describes the type of change(s) that occurred. These codes are the key to interpreting the Journal. Common reasons include:

    • FILE_CREATE: A file or directory was created.

    • FILE_DELETE: A file or directory was deleted.

    • RENAME_OLD_NAME / RENAME_NEW_NAME: A file was renamed, logging both its old and new names.

    • DATA_OVERWRITE / DATA_EXTEND: The file's content was modified.

    • BASIC_INFO_CHANGE: The file's attributes (e.g., Read-Only, Hidden) or $SI timestamps were altered.

    • STREAM_CHANGE: An Alternate Data Stream was added, removed, or modified.

    • CLOSE: The file handle was closed, often appended to other flags to signify the end of an operation.

Forensic Value

The USN Journal is indispensable for reconstructing the lifecycle of files and detecting anti-forensic techniques.

  • Tracking File Lifecycles: It provides a definitive, chronological sequence of events for a file: creation, renaming (both old and new names), content modification, attribute changes, and final deletion.

  • Definitive Proof of Deletion: The Journal is often the best and only source to prove that a specific file was deleted and precisely when. It retains records of deleted files until the Journal wraps, providing evidence long after the file's MFT record might have been reused.

  • Detecting Renaming and Replacement: It explicitly logs rename operations. This is crucial for detecting the "file replacement" bypass, where a malicious file is deleted and replaced by a benign one of the same name. The Journal will show the sequence: FILE_DELETE for the first file, followed by FILE_CREATE and RENAME_NEW_NAME for the second.

  • Uncovering Attribute Manipulation: The BASIC_INFO_CHANGE reason code is a powerful indicator of tampering. It is triggered by timestomping attempts (altering timestamps) and by applying the Read-Only attribute to artifacts like Prefetch files to prevent them from being updated.

  • Identifying ADS Manipulation: STREAM_CHANGE events can reveal the creation or modification of hidden Alternate Data Streams.

Specialized tools like fsutil.exe, JournalTrace, or Eric Zimmerman's MFTECmd are required to parse the binary $J stream and interpret its records.

Reflection points (SS Contest)

For a ScreenSharer, the USN Journal is the ultimate tool for exposing a player's attempts to cover their tracks. It turns the act of hiding evidence into evidence itself.

  • The Anti-Bypass Artifact: This is the Journal's primary role. If a player deletes their Prefetch folder, the Journal will contain a list of FILE_DELETE events for every .pf file. If they use the "file replacement" method, the Journal will show the exact sequence of deletion and creation.

  • Exposing Prefetch Tampering: Finding a recent BASIC_INFO_CHANGE event on a Prefetch file is a smoking gun. It proves the player manipulated the file's attributes, most likely by setting it to Read-Only to "freeze" its last execution time and hide recent use of a cheat.

  • Confirming Deletions: If a file appears in an execution artifact (like BAM) but is no longer on the disk, the Journal can provide the final, conclusive proof by showing the FILE_DELETE record for that exact file path, complete with a timestamp.

  • Detecting Journal Clearing: The act of clearing the Journal itself (fsutil usn deletejournal) is a highly suspicious anti-forensic technique that is logged by Windows Event Logs (Event ID 3079).

PreviousMaster File TableNext$LogFile

Last updated