USN Journal

The USN Journal is an artifact present on NTFS volumes that functions as the filesystem's journal. This artifact contains high-level records of operations taken on the filesystem. This artifact is present in volume shadow copies which may provide additional historical data.

The USN Journal is limited in size and therefore only recent activity will be reflected in this file. Depending on the amount of filesystem activity on a volume this artifact may only provide several days (or even hours) of coverage.

A potential workaround to obtain more history from this artifact would be to extract a copy of it from any available Volume Shadow Copies present on the NTFS volume.

Analysis Value

File CreationFile DeletionLast ModifiedFile PathFile Size

Operating System Availability

• The USN Journal is present in all NTFS Volumes

Artifact Location(s)

• $Extend\$UsnJrnl\$J

Artifact Parsers

• Velociraptor

• jp (TZWorks)

• MFTEcmd (Eric Zimmerman)

• KAPE can be used to extract

Artifact Interpretation

Below are several common USN Journal events:

Event Code	Value	Description
USN_REASON_FILE_CREATE	0x00000100	File or directory has been created
USN_REASON_FILE_DELETE	0x00000200	File or directory has been deleted
USN_REASON_RENAME_NEW_NAME	0x00002000	File has been renamed (provides the new name)
USN_REASON_RENAME_OLD_NAME	0x00001000	File has been renamed (provides the old name)
USN_REASON_STREAM_CHANGE	0x00200000	An Alternate Data Stream has been added or removed or renamed from a file
USN_REASON_NAMED_DATA_EXTEND	0x00000020	An Alternate Data Stream has been added to
USN_REASON_DATA_EXTEND	0x00000002	File modification
USN_REASON_DATA_OVERWRITE	0x00000001	File modification
USN_REASON_DATA_TRUNCATION	0x00000004	File modification
USN_REASON_BASIC_INFO_CHANGE	0x00008000	File attributes have been modified
USN_REASON_SECURITY_CHANGE	0x00000800	File ownership/access writes have been modified

Example: File Creation and Deletion

In this example, we created a file test.txt, modified its contents, and then deleted it. The resulting information from the USN Journal is as follows:

Timestamp	Filename	Update Reason
2023-04-26 23:51:09.09	New Text Document.txt	FileCreate
2023-04-26 23:51:09.09	New Text Document.txt	FileCreate,Close
2023-04-26 23:51:16.16	New Text Document.txt	RenameOldName
2023-04-26 23:51:16.16	test.txt	RenameNewName
2023-04-26 23:51:16.16	test.txt	RenameNewName,Close
2023-04-26 23:51:22.22	test.txt	DataExtend
2023-04-26 23:51:22.22	test.txt	DataExtend,Close
2023-04-26 23:51:29.29	$I4NTH4K.txt	FileCreate
2023-04-26 23:51:29.29	$I4NTH4K.txt	DataExtend,FileCreate
2023-04-26 23:51:29.29	$I4NTH4K.txt	DataExtend,FileCreate,Close
2023-04-26 23:51:29.29	test.txt	RenameOldName
2023-04-26 23:51:29.29	$R4NTH4K.txt	RenameNewName
2023-04-26 23:51:29.29	$R4NTH4K.txt	RenameNewName,Close
2023-04-26 23:51:29.29	$R4NTH4K.txt	SecurityChange
2023-04-26 23:51:29.29	$R4NTH4K.txt	SecurityChange,Close

In this example, we first see that a new text file is created, called New Text Document.txt (FileCreate), indicating that it was likely created by right-clicking in Explorer. It is then renamed to test.txt (RenameNewName). Afterwards, its contents are modified (DataExtend). The file is then "deleted," being sent to the recycle bin. This is evidenced by the creation of the $I and $R files. As expected, the $R4NTH4K.txt file should contain the full contents of the deleted file, and we see that Windows simply renames the original file to this.

More information on Recycle Bin $I/$R Files: Recycle Bin $I/$R Files

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Example: Moving a File

In this example, a file has been moved to a different directory. In this instance, while the filename remains the same, we see that the update reasons RenameOldName and RenameNewName are present. The parent entry numbers (as well as the parent sequence numbers, not shown in this table) change, indicating that the file has been moved to a different directory.

Timestamp	Parent Entry Number	Filename	Update Reason
2023-04-26 23:51:41.41	114291	test2.txt	RenameOldName
2023-04-26 23:51:41.41	101882	test2.txt	RenameNewName
2023-04-26 23:51:41.41	101882	test2.txt	RenameNewName,Close
2023-04-26 23:51:41.41	101882	test2.txt	SecurityChange
2023-04-26 23:51:41.41	101882	test2.txt	SecurityChange,Close

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Example: Correlation with Prefetch

UpdateTimestamp	Name	UpdateReasons
2023-04-26 23:51:16.16	New Text Document.txt	RenameOldName
2023-04-26 23:51:16.16	test.txt	RenameNewName
2023-04-26 23:51:22.22	test.txt	DataExtend
2023-04-26 23:51:22.22	test.txt	DataExtend,Close
2023-04-26 23:51:23.23	NOTEPAD.EXE-9FB27C0E.pf	DataTruncation
2023-04-26 23:51:23.23	NOTEPAD.EXE-9FB27C0E.pf	DataExtend,DataTruncation
2023-04-26 23:51:23.23	NOTEPAD.EXE-9FB27C0E.pf	DataExtend,DataTruncation,Close

In this example, we see that notepad.exe was likely executed to edit text.txt. This is particularly valuable as the Prefetch artifact only stores the last 8 execution timestamps of an application, but it is updated for each execution, meaning the USN Journal may provide additional execution timestamps that have rolled out of the Prefetch file.

This example was produced on Windows 10, Version 10.0.19044 Build 19044