$UsnJrnl (USN Change Journal)

Location

Description

NTFS Update Sequence Number journal logging every file system change including creates, deletes, renames, data overwrites, and security descriptor changes.

Forensic Value

The USN journal captures a chronological record of every filesystem change, providing a high-fidelity timeline even for files that have been deleted. Rename chains expose attacker attempts to disguise malicious binaries (e.g., renaming svchost.exe to a temp path). Rapid bulk deletes indicate evidence destruction or ransomware encryption.

Tools Required