$UsnJrnl (USN Change Journal)

WindowsFilesystem & TimelineDisk Image

Location

\\.\C:\$Extend\$UsnJrnl:$J

Common Names

$UsnJrnl:$JUSN Change Journal

Description

NTFS Update Sequence Number journal logging every file system change including creates, deletes, renames, data overwrites, and security descriptor changes.

Forensic Value

The USN journal captures a chronological record of every filesystem change, providing a high-fidelity timeline even for files that have been deleted. Rename chains expose attacker attempts to disguise malicious binaries (e.g., renaming svchost.exe to a temp path). Rapid bulk deletes indicate evidence destruction or ransomware encryption.

Tools Required

KAPEMFTECmd (Eric Zimmerman)NTFS Log Tracker

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target NTFS

MFTECmd

MFTECmd.exe -f "C:\$Extend\$UsnJrnl:$J" --csv C:\output --csvf UsnJrnl.csv

ExtractUsnJrnl

ExtractUsnJrnl.exe /DevicePath:C: /OutputPath:C:\output

NTFS Log Tracker

Load $UsnJrnl:$J in NTFS Log Tracker for timeline analysis

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1070.004T1070.006T1486

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Used in Procedures

Determine Encryption Scope and Affected Systems

analyze

Identify Alternative Evidence When Primary Logs Are Missing

collect

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote