The USN Journal ( $UsnJrnl )

The Update Sequence Number (USN) Journal is an integral feature of the NTFS file system. It functions as a chronological log that meticulously records changes made to files and directories on the volume it resides on.

• Location & Structure: The Journal data itself is stored within a specific Alternate Data Stream named $J, which is part of the hidden system metafile $Extend\$UsnJrnl located at the root of the NTFS volume (e.g., C:\$Extend\$UsnJrnl). Another stream, $Max, stores metadata about the journal itself.

• Purpose: Its primary system function is to allow applications (like indexing services, backup software, or replication engines) to efficiently track changes without needing to scan the entire volume. Forensically, it provides a detailed history of file operations.

• Logged Information: Each entry (USN Record) in the $J stream typically logs:

  • A precise Timestamp of the event.

  • The Filename affected.

  • The File Reference Number (FRN) and the Parent FRN (linking the file to its directory and MFT record).

  • One or more Reason Codes, indicating the type(s) of change(s) that occurred (e.g., FILE_CREATE, FILE_DELETE, RENAME_OLD_NAME, RENAME_NEW_NAME, DATA_OVERWRITE, BASIC_INFO_CHANGE, STREAM_CHANGE, CLOSE). Understanding these codes is key to interpretation.

  • File attributes at the time of the event.

  • Source information (distinguishing user data changes from OS data management).

• Persistence: Crucially, the Journal often retains records for files even after they have been deleted from the file system (until the Journal wraps around or is cleared). This makes it invaluable for proving the prior existence and deletion of files.