The Journal ($USNJrnl) - The Change Log

As a core part of its journaling capability, NTFS utilizes the $UsnJrnl metafile. This file is typically located in a hidden system directory, often C:\$Extend (as noted previously, usually inaccessible via standard Explorer). The $UsnJrnl functions as a detailed logbook of changes made to files and directories across the volume. It tracks a wide array of activities, providing a chronological record of filesystem events, including:

  • File and directory creation (FILE_CREATE).

  • File and directory deletion (FILE_DELETE).

  • File and directory renaming (RENAME_OLD_NAME, RENAME_NEW_NAME).

  • Changes to file data content (e.g., overwriting data DATA_OVERWRITE, extending file size DATA_EXTEND, shrinking file size DATA_TRUNCATION).

  • Modifications to file attributes or security settings (BASIC_INFO_CHANGE).

  • Changes involving Alternate Data Streams (STREAM_CHANGE).

Interestingly, the main $UsnJrnl file itself might appear empty or small if viewed directly. The crucial log data resides within two Alternate Data Streams (ADS) associated with this metafile:

  • $Max: Contains metadata about the journal, such as its unique ID, maximum size limit, and allocation granularity.

  • $J: This stream contains the actual sequence of USN Records – the individual log entries detailing filesystem changes.

USN Records (Update Sequence Number Records): These are the fundamental entries within the $J stream. Each record documents a specific change event and typically includes:

  • An Update Sequence Number (a monotonically increasing number identifying the record).

  • The File Reference Number (FRN) of the file or directory affected.

  • The FRN of the parent directory.

  • A USN Reason Code (a flag indicating the type(s) of change, like FILE_CREATE, FILE_DELETE, DATA_OVERWRITE, BASIC_INFO_CHANGE, etc.).

  • Source Information (indicating if the change was user data, OS data management, etc.).

  • Security ID (SID) of the user/process making the change (availability may vary).

  • File Attributes at the time of the change.

  • The filename.

  • A precise timestamp for the event.

Utilities like Windows' built-in fsutil usn readjournal c: or specialized forensic tools (like MFTECmd, JournalTrace, Echo Journal Viewer) are necessary to parse the binary $J stream and interpret these USN records, providing a powerful timeline of file system activity, even for deleted items.

PreviousMaster File Table ($MFT) - The File CatalogNext$LogFile (Metadata Log) - Specific Log for Metadata Changes

Last updated