🔍
Windows Forensic Handbook
  • 👋Welcome
  • Artifacts by Type
    • 🗄️Registry Artifacts
      • Amcache.hve
      • Background Activity Montitor
      • Image File Execution Options Registry Keys
      • System Resource Usage Monitor (SRUM)
      • Run/RunOnce Registry Keys
      • Tracing Registry Keys
      • Services Registry Keys
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
    • 📂Filesystem Artifacts
      • USN Journal
      • Prefetch
      • AutomaticDestinations Jumplists
      • Recycle Bin $I/$R Files
      • Task Scheduler Files
      • Windows Error Reporting Files (.WER)
      • System Resource Usage Monitor (SRUM)
    • 📅Event Log Artifacts
      • Task Scheduler Operational Log
      • TerminalServices-RDPClient
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Security
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
      • System
        • Event ID 7045: Service Installed
      • Microsoft Windows Windows Firewall With Advanced Security
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • TerminalServices-LocalSessionManager
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
      • TerminalServices-RemoteConnectionManager
        • EventID 1149: User Authentication Succeeded
      • Microsoft Windows Shell Core
        • EventID 9707: Command Execution Started
      • Microsoft-Windows-PowerShell
        • EventID 4104: PowerShell Script Block Logging
  • Artifacts by Activity
    • 🏃‍♂️Execution
      • Evidence of Execution
        • Prefetch
        • Amcache.hve
        • System Resource Usage Monitor (SRUM)
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • Windows Error Reporting Files (.WER)
        • Tracing Registry Keys
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • First Executed
        • Prefetch
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Tracing Registry Keys
        • Task Scheduler Operational Log
        • EventID 4104: PowerShell Script Block Logging
      • Last Executed
        • Prefetch
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
      • Command Line Options
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4688: A new process has been created
        • EventID 9707: Command Execution Started
      • Execution Account
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Parent and Child Information
        • EventID 4688: A new process has been created
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • Execution Timestamp
        • Task Scheduler Operational Log
        • EventID 9707: Command Execution Started
    • 🗒️File Activity
      • File Creation
        • USN Journal
      • File Deletion
        • USN Journal
        • Recycle Bin $I/$R Files
      • Last Modified
        • USN Journal
      • File Origin
      • File Size
        • USN Journal
        • Recycle Bin $I/$R Files
      • File Path
        • USN Journal
        • Prefetch
        • Amcache.hve
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Recycle Bin $I/$R Files
        • Image File Execution Options Registry Keys
        • Task Scheduler Files
        • Windows Error Reporting Files (.WER)
        • Run/RunOnce Registry Keys
        • Services Registry Keys
        • Task Scheduler Operational Log
        • Event ID 7045: Service Installed
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • File Hash
        • Amcache.hve
    • 👨‍🔧Account Activity
      • Account Creation Time
      • Group Membership
      • Last Login
      • Login History
        • EventID 4624: An account was successfully logged on
      • Logon ID
        • EventID 4624: An account was successfully logged on
        • EventID 4688: A new process has been created
      • Relative Identifier
      • Security Identifier
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • Recycle Bin $I/$R Files
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
        • Event ID 7045: Service Installed
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Username
        • EventID 4624: An account was successfully logged on
        • AutomaticDestinations Jumplists
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
    • 🌎Network Activity
      • Evidence of Network Activity
        • Tracing Registry Keys
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Destination Identification
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Source Identification
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4624: An account was successfully logged on
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Transmit Volume
        • System Resource Usage Monitor (SRUM)
      • Firewall Activity
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 4104: PowerShell Script Block Logging
      • Wireless Activity
    • 🔍Browser Activity
      • History
        • Firefox places.sqlite Database
      • Bookmarks
        • Firefox places.sqlite Database
      • Stored Passwords/Secrets
    • 🖥️System Enumeration
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
Powered by GitBook
On this page
  • Analysis Value
  • Operating System Availability
  • Artifact Location(s)
  • Artifact Parsers
  • Artifact Interpretation
  • Example: File Creation and Deletion
  • Example: Moving a File
  • Example: Correlation with Prefetch
  1. Artifacts by Type
  2. Filesystem Artifacts

USN Journal

Last updated 1 year ago

The USN Journal is an artifact present on NTFS volumes that functions as the filesystem's journal. This artifact contains high-level records of operations taken on the filesystem. This artifact is present in volume shadow copies which may provide additional historical data.

The USN Journal is limited in size and therefore only recent activity will be reflected in this file. Depending on the amount of filesystem activity on a volume this artifact may only provide several days (or even hours) of coverage.

A potential workaround to obtain more history from this artifact would be to extract a copy of it from any available Volume Shadow Copies present on the NTFS volume.

Analysis Value

Operating System Availability

  • The USN Journal is present in all NTFS Volumes

Artifact Location(s)

  • $Extend\$UsnJrnl\$J

Artifact Parsers

  • Velociraptor

  • jp (TZWorks)

  • MFTEcmd (Eric Zimmerman)

  • KAPE can be used to extract

Artifact Interpretation

Below are several common USN Journal events:

Event Code
Value
Description

USN_REASON_FILE_CREATE

0x00000100

File or directory has been created

USN_REASON_FILE_DELETE

0x00000200

File or directory has been deleted

USN_REASON_RENAME_NEW_NAME

0x00002000

File has been renamed (provides the new name)

USN_REASON_RENAME_OLD_NAME

0x00001000

File has been renamed (provides the old name)

USN_REASON_STREAM_CHANGE

0x00200000

An Alternate Data Stream has been added or removed or renamed from a file

USN_REASON_NAMED_DATA_EXTEND

0x00000020

An Alternate Data Stream has been added to

USN_REASON_DATA_EXTEND

0x00000002

File modification

USN_REASON_DATA_OVERWRITE

0x00000001

File modification

USN_REASON_DATA_TRUNCATION

0x00000004

File modification

USN_REASON_BASIC_INFO_CHANGE

0x00008000

File attributes have been modified

USN_REASON_SECURITY_CHANGE

0x00000800

File ownership/access writes have been modified

Example: File Creation and Deletion

In this example, we created a file test.txt, modified its contents, and then deleted it. The resulting information from the USN Journal is as follows:

Timestamp
Filename
Update Reason

2023-04-26 23:51:09.09

New Text Document.txt

FileCreate

2023-04-26 23:51:09.09

New Text Document.txt

FileCreate,Close

2023-04-26 23:51:16.16

New Text Document.txt

RenameOldName

2023-04-26 23:51:16.16

test.txt

RenameNewName

2023-04-26 23:51:16.16

test.txt

RenameNewName,Close

2023-04-26 23:51:22.22

test.txt

DataExtend

2023-04-26 23:51:22.22

test.txt

DataExtend,Close

2023-04-26 23:51:29.29

$I4NTH4K.txt

FileCreate

2023-04-26 23:51:29.29

$I4NTH4K.txt

DataExtend,FileCreate

2023-04-26 23:51:29.29

$I4NTH4K.txt

DataExtend,FileCreate,Close

2023-04-26 23:51:29.29

test.txt

RenameOldName

2023-04-26 23:51:29.29

$R4NTH4K.txt

RenameNewName

2023-04-26 23:51:29.29

$R4NTH4K.txt

RenameNewName,Close

2023-04-26 23:51:29.29

$R4NTH4K.txt

SecurityChange

2023-04-26 23:51:29.29

$R4NTH4K.txt

SecurityChange,Close

In this example, we first see that a new text file is created, called New Text Document.txt (FileCreate), indicating that it was likely created by right-clicking in Explorer. It is then renamed to test.txt (RenameNewName). Afterwards, its contents are modified (DataExtend). The file is then "deleted," being sent to the recycle bin. This is evidenced by the creation of the $I and $R files. As expected, the $R4NTH4K.txt file should contain the full contents of the deleted file, and we see that Windows simply renames the original file to this.

More information on Recycle Bin $I/$R Files: Recycle Bin $I/$R Files

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Example: Moving a File

In this example, a file has been moved to a different directory. In this instance, while the filename remains the same, we see that the update reasons RenameOldName and RenameNewName are present. The parent entry numbers (as well as the parent sequence numbers, not shown in this table) change, indicating that the file has been moved to a different directory.

Timestamp
Parent Entry Number
Filename
Update Reason

2023-04-26 23:51:41.41

114291

test2.txt

RenameOldName

2023-04-26 23:51:41.41

101882

test2.txt

RenameNewName

2023-04-26 23:51:41.41

101882

test2.txt

RenameNewName,Close

2023-04-26 23:51:41.41

101882

test2.txt

SecurityChange

2023-04-26 23:51:41.41

101882

test2.txt

SecurityChange,Close

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Example: Correlation with Prefetch

UpdateTimestamp
Name
UpdateReasons

2023-04-26 23:51:16.16

New Text Document.txt

RenameOldName

2023-04-26 23:51:16.16

test.txt

RenameNewName

2023-04-26 23:51:22.22

test.txt

DataExtend

2023-04-26 23:51:22.22

test.txt

DataExtend,Close

2023-04-26 23:51:23.23

NOTEPAD.EXE-9FB27C0E.pf

DataTruncation

2023-04-26 23:51:23.23

NOTEPAD.EXE-9FB27C0E.pf

DataExtend,DataTruncation

2023-04-26 23:51:23.23

NOTEPAD.EXE-9FB27C0E.pf

DataExtend,DataTruncation,Close

In this example, we see that notepad.exe was likely executed to edit text.txt. This is particularly valuable as the Prefetch artifact only stores the last 8 execution timestamps of an application, but it is updated for each execution, meaning the USN Journal may provide additional execution timestamps that have rolled out of the Prefetch file.

This example was produced on Windows 10, Version 10.0.19044 Build 19044

📂
File Creation
File Deletion
Last Modified
File Path
File Size