# USN Journal The USN Journal is an artifact present on NTFS volumes that functions as the filesystem's journal. This artifact contains high-level records of operations taken on the filesystem. This artifact is present in volume shadow copies which may provide additional historical data. {% hint style="info" %} The USN Journal is limited in size and therefore only recent activity will be reflected in this file. Depending on the amount of filesystem activity on a volume this artifact may only provide several days (or even hours) of coverage. A potential workaround to obtain more history from this artifact would be to extract a copy of it from any available Volume Shadow Copies present on the NTFS volume. {% endhint %} ## Analysis Value {% content-ref url="/pages/Ywpi93Ywi9miCUTepCc9" %} [File Creation](/windows-forensics/artifacts-by-activity/file-activity/creation.md) {% endcontent-ref %} {% content-ref url="/pages/rmCTRMRp4lWv3ij2JpeD" %} [File Deletion](/windows-forensics/artifacts-by-activity/file-activity/deletion.md) {% endcontent-ref %} {% content-ref url="/pages/cR8iRSw4xASw6iJFDAif" %} [Last Modified](/windows-forensics/artifacts-by-activity/file-activity/last-modified.md) {% endcontent-ref %} {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} {% content-ref url="/pages/nmru9qr1jF7O0ZoLkyQK" %} [File Size](/windows-forensics/artifacts-by-activity/file-activity/size.md) {% endcontent-ref %} ## Operating System Availability * The USN Journal is present in all NTFS Volumes ## Artifact Location(s) * `$Extend\$UsnJrnl\$J` ## Artifact Parsers * Velociraptor * jp (TZWorks) * MFTEcmd (Eric Zimmerman) * KAPE can be used to extract ## Artifact Interpretation Below are several common USN Journal events: | Event Code | Value | Description | | -------------------------------- | ---------- | ------------------------------------------------------------------------- | | USN\_REASON\_FILE\_CREATE | 0x00000100 | File or directory has been created | | USN\_REASON\_FILE\_DELETE | 0x00000200 | File or directory has been deleted | | USN\_REASON\_RENAME\_NEW\_NAME | 0x00002000 | File has been renamed (provides the new name) | | USN\_REASON\_RENAME\_OLD\_NAME | 0x00001000 | File has been renamed (provides the old name) | | USN\_REASON\_STREAM\_CHANGE | 0x00200000 | An Alternate Data Stream has been added or removed or renamed from a file | | USN\_REASON\_NAMED\_DATA\_EXTEND | 0x00000020 | An Alternate Data Stream has been added to | | USN\_REASON\_DATA\_EXTEND | 0x00000002 | File modification | | USN\_REASON\_DATA\_OVERWRITE | 0x00000001 | File modification | | USN\_REASON\_DATA\_TRUNCATION | 0x00000004 | File modification | | USN\_REASON\_BASIC\_INFO\_CHANGE | 0x00008000 | File attributes have been modified | | USN\_REASON\_SECURITY\_CHANGE | 0x00000800 | File ownership/access writes have been modified | ### Example: File Creation and Deletion In this example, we created a file `test.txt`, modified its contents, and then deleted it. The resulting information from the USN Journal is as follows: | Timestamp | Filename | Update Reason | | ---------------------- | --------------------- | --------------------------- | | 2023-04-26 23:51:09.09 | New Text Document.txt | FileCreate | | 2023-04-26 23:51:09.09 | New Text Document.txt | FileCreate,Close | | 2023-04-26 23:51:16.16 | New Text Document.txt | RenameOldName | | 2023-04-26 23:51:16.16 | test.txt | RenameNewName | | 2023-04-26 23:51:16.16 | test.txt | RenameNewName,Close | | 2023-04-26 23:51:22.22 | test.txt | DataExtend | | 2023-04-26 23:51:22.22 | test.txt | DataExtend,Close | | 2023-04-26 23:51:29.29 | $I4NTH4K.txt | FileCreate | | 2023-04-26 23:51:29.29 | $I4NTH4K.txt | DataExtend,FileCreate | | 2023-04-26 23:51:29.29 | $I4NTH4K.txt | DataExtend,FileCreate,Close | | 2023-04-26 23:51:29.29 | test.txt | RenameOldName | | 2023-04-26 23:51:29.29 | $R4NTH4K.txt | RenameNewName | | 2023-04-26 23:51:29.29 | $R4NTH4K.txt | RenameNewName,Close | | 2023-04-26 23:51:29.29 | $R4NTH4K.txt | SecurityChange | | 2023-04-26 23:51:29.29 | $R4NTH4K.txt | SecurityChange,Close | In this example, we first see that a new text file is created, called `New Text Document.txt` (`FileCreate`), indicating that it was likely created by right-clicking in Explorer. It is then renamed to `test.txt` (`RenameNewName`). Afterwards, its contents are modified (`DataExtend`). The file is then "deleted," being sent to the recycle bin. This is evidenced by the creation of the `$I` and `$R` files. As expected, the `$R4NTH4K.txt` file should contain the full contents of the deleted file, and we see that Windows simply renames the original file to this. {% hint style="info" %} More information on Recycle Bin $I/$R Files: [Recycle Bin $I/$R Files](/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files.md) {% endhint %} This example was produced on Windows 10, Version 10.0.19044 Build 19044 ### Example: Moving a File In this example, a file has been moved to a different directory. In this instance, while the filename remains the same, we see that the update reasons `RenameOldName` and `RenameNewName` are present. The parent entry numbers (as well as the parent sequence numbers, not shown in this table) change, indicating that the file has been moved to a different directory. | Timestamp | Parent Entry Number | Filename | Update Reason | | ---------------------- | ------------------- | --------- | -------------------- | | 2023-04-26 23:51:41.41 | 114291 | test2.txt | RenameOldName | | 2023-04-26 23:51:41.41 | 101882 | test2.txt | RenameNewName | | 2023-04-26 23:51:41.41 | 101882 | test2.txt | RenameNewName,Close | | 2023-04-26 23:51:41.41 | 101882 | test2.txt | SecurityChange | | 2023-04-26 23:51:41.41 | 101882 | test2.txt | SecurityChange,Close | This example was produced on Windows 10, Version 10.0.19044 Build 19044 ### Example: Correlation with Prefetch | UpdateTimestamp | Name | UpdateReasons | | ---------------------- | ----------------------- | ------------------------------- | | 2023-04-26 23:51:16.16 | New Text Document.txt | RenameOldName | | 2023-04-26 23:51:16.16 | test.txt | RenameNewName | | 2023-04-26 23:51:22.22 | test.txt | DataExtend | | 2023-04-26 23:51:22.22 | test.txt | DataExtend,Close | | 2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataTruncation | | 2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataExtend,DataTruncation | | 2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataExtend,DataTruncation,Close | In this example, we see that `notepad.exe` was likely executed to edit `text.txt`. This is particularly valuable as the [Prefetch](/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch.md) artifact only stores the last 8 execution timestamps of an application, but it is updated for each execution, meaning the USN Journal may provide additional execution timestamps that have rolled out of the Prefetch file. This example was produced on Windows 10, Version 10.0.19044 Build 19044 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.