USN Journal Clearing

  • Description: This involves the complete deletion of the NTFS Update Sequence Number (USN) Journal ($J stream within $Extend\$UsnJrnl) for a specific volume.

  • Mechanism: Typically performed using the built-in fsutil.exe command with administrative privileges: fsutil usn deletejournal /D C: (replace C: with the target drive). This command completely wipes the existing journal log, forcing Windows to create a new, empty one upon the next filesystem change.

  • Why Cheaters Use It: To erase the entire recorded history of file creations, deletions, renames, attribute changes, and stream modifications on a volume, effectively blinding analysis techniques that rely heavily on the Journal (like detecting Prefetch clearing, file replacement, timestomping via BASIC_INFO_CHANGE, ADS manipulation, etc.).

  • Detection: Clearing the USN Journal is a drastic action that leaves clear, detectable traces:

    • Event Logs: The act of deleting the USN Journal reliably triggers Event ID 3079 in the Application event log. The event details usually specify the volume (drive letter) whose journal was deleted and often mention fsutil.exe as the source process. Finding this event is definitive proof of intentional Journal clearing.

    • Journal Metadata Analysis: Examining the Journal's metadata files ($J and $MAX streams within $Extend\$UsnJrnl) using tools like FTK Imager or MFTECmd reveals clearing:

      • Modification Times: The "Date Modified" timestamps of both the $J stream and the $MAX stream will be very recent, coinciding with the time the deletejournal command was run. Comparing these timestamps is crucial; a recent modification to both confirms the clearing event.

      • Oldest Entry Timestamp: Tools like JournalTrace display the timestamp of the oldest record currently in the Journal. If this oldest entry is dated after the user's logon time or the game start time (i.e., very recent), it strongly suggests the Journal was cleared during the current boot/game instance.

      • Size: A newly created Journal ($J stream) will be very small compared to one that has been accumulating logs.

PreviousRegistry Clearing (BAM, RecentDocs, etc.)NextEvent Log Clearing/Manipulation

Last updated