USN Journal
The USN Journal is an artifact present on NTFS volumes that functions as the filesystem's journal. This artifact contains high-level records of operations taken on the filesystem. This artifact is present in volume shadow copies which may provide additional historical data.
The USN Journal is limited in size and therefore only recent activity will be reflected in this file. Depending on the amount of filesystem activity on a volume this artifact may only provide several days (or even hours) of coverage.
A potential workaround to obtain more history from this artifact would be to extract a copy of it from any available Volume Shadow Copies present on the NTFS volume.
Analysis Value
pageFile CreationpageFile DeletionpageLast ModifiedpageFile PathpageFile SizeOperating System Availability
The USN Journal is present in all NTFS Volumes
Artifact Location(s)
$Extend\$UsnJrnl\$J
Artifact Parsers
Velociraptor
jp (TZWorks)
MFTEcmd (Eric Zimmerman)
KAPE can be used to extract
Artifact Interpretation
Below are several common USN Journal events:
| Event Code | Value | Description |
|---|---|---|
USN_REASON_FILE_CREATE | 0x00000100 | File or directory has been created |
USN_REASON_FILE_DELETE | 0x00000200 | File or directory has been deleted |
USN_REASON_RENAME_NEW_NAME | 0x00002000 | File has been renamed (provides the new name) |
USN_REASON_RENAME_OLD_NAME | 0x00001000 | File has been renamed (provides the old name) |
USN_REASON_STREAM_CHANGE | 0x00200000 | An Alternate Data Stream has been added or removed or renamed from a file |
USN_REASON_NAMED_DATA_EXTEND | 0x00000020 | An Alternate Data Stream has been added to |
USN_REASON_DATA_EXTEND | 0x00000002 | File modification |
USN_REASON_DATA_OVERWRITE | 0x00000001 | File modification |
USN_REASON_DATA_TRUNCATION | 0x00000004 | File modification |
USN_REASON_BASIC_INFO_CHANGE | 0x00008000 | File attributes have been modified |
USN_REASON_SECURITY_CHANGE | 0x00000800 | File ownership/access writes have been modified |
Example: File Creation and Deletion
In this example, we created a file test.txt, modified its contents, and then deleted it. The resulting information from the USN Journal is as follows:
| Timestamp | Filename | Update Reason |
|---|---|---|
2023-04-26 23:51:09.09 | New Text Document.txt | FileCreate |
2023-04-26 23:51:09.09 | New Text Document.txt | FileCreate,Close |
2023-04-26 23:51:16.16 | New Text Document.txt | RenameOldName |
2023-04-26 23:51:16.16 | test.txt | RenameNewName |
2023-04-26 23:51:16.16 | test.txt | RenameNewName,Close |
2023-04-26 23:51:22.22 | test.txt | DataExtend |
2023-04-26 23:51:22.22 | test.txt | DataExtend,Close |
2023-04-26 23:51:29.29 | $I4NTH4K.txt | FileCreate |
2023-04-26 23:51:29.29 | $I4NTH4K.txt | DataExtend,FileCreate |
2023-04-26 23:51:29.29 | $I4NTH4K.txt | DataExtend,FileCreate,Close |
2023-04-26 23:51:29.29 | test.txt | RenameOldName |
2023-04-26 23:51:29.29 | $R4NTH4K.txt | RenameNewName |
2023-04-26 23:51:29.29 | $R4NTH4K.txt | RenameNewName,Close |
2023-04-26 23:51:29.29 | $R4NTH4K.txt | SecurityChange |
2023-04-26 23:51:29.29 | $R4NTH4K.txt | SecurityChange,Close |
In this example, we first see that a new text file is created, called New Text Document.txt (FileCreate), indicating that it was likely created by right-clicking in Explorer. It is then renamed to test.txt (RenameNewName). Afterwards, its contents are modified (DataExtend). The file is then "deleted," being sent to the recycle bin. This is evidenced by the creation of the $I and $R files. As expected, the $R4NTH4K.txt file should contain the full contents of the deleted file, and we see that Windows simply renames the original file to this.
More information on Recycle Bin $I/$R Files: Recycle Bin $I/$R Files
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Example: Moving a File
In this example, a file has been moved to a different directory. In this instance, while the filename remains the same, we see that the update reasons RenameOldName and RenameNewName are present. The parent entry numbers (as well as the parent sequence numbers, not shown in this table) change, indicating that the file has been moved to a different directory.
| Timestamp | Parent Entry Number | Filename | Update Reason |
|---|---|---|---|
2023-04-26 23:51:41.41 | 114291 | test2.txt | RenameOldName |
2023-04-26 23:51:41.41 | 101882 | test2.txt | RenameNewName |
2023-04-26 23:51:41.41 | 101882 | test2.txt | RenameNewName,Close |
2023-04-26 23:51:41.41 | 101882 | test2.txt | SecurityChange |
2023-04-26 23:51:41.41 | 101882 | test2.txt | SecurityChange,Close |
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Example: Correlation with Prefetch
| UpdateTimestamp | Name | UpdateReasons |
|---|---|---|
2023-04-26 23:51:16.16 | New Text Document.txt | RenameOldName |
2023-04-26 23:51:16.16 | test.txt | RenameNewName |
2023-04-26 23:51:22.22 | test.txt | DataExtend |
2023-04-26 23:51:22.22 | test.txt | DataExtend,Close |
2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataTruncation |
2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataExtend,DataTruncation |
2023-04-26 23:51:23.23 | NOTEPAD.EXE-9FB27C0E.pf | DataExtend,DataTruncation,Close |
In this example, we see that notepad.exe was likely executed to edit text.txt. This is particularly valuable as the Prefetch artifact only stores the last 8 execution timestamps of an application, but it is updated for each execution, meaning the USN Journal may provide additional execution timestamps that have rolled out of the Prefetch file.
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated