Updated on 18 Feb,2025
If you're digging into NTFS file system changes, the $UsnJrnl (Update Sequence Number Journal) is one of the best forensic artifacts you can analyze. It keeps track of changes happening on the volume, making it a go-to resource for investigators.
The good news? There are great tools available to parse the $UsnJrnl. One of the best and my favorite tool is Eric Zimmerman’s MFTECmd.
---------------------------------------------------------------------------------------------------------
If you want to learn running MFTECmd against $MFT Do check out below article
-------------------------------------------------------------------------------------------------------
How to Use MFTECmd to Parse the $UsnJrnl
Running MFTECmd against the $UsnJrnl is pretty much the same as running it against the $MFT (Master File Table). The only difference? You need to specify the $J alternate data stream (ADS) in addition to the $MFT file.
Here’s two simple command to get started:
In first command you will include the $MFT while parsing $J
MFTECmd.exe -f G:\G\$Extend\$J -m G:\G\$MFT --csv "E:\Output for testing\Website investigation" --csvf usnjrnl.csvWhat’s Happening Here?
-f G:\G\$Extend\$J → Points to the $UsnJrnl file.
-m G:\G\$MFT → Includes the $MFT file to cross-reference file entries and build full path information.
--csv "E:\Output for testing\Website investigation" --csvf usnjrnl.csv → Outputs the parsed data into a CSV file for easy analysis.
This will generate a CSV file that contains every change recorded in the journal. In a real-world case, a forensic investigator ran this on a compromised system and parsed 384,493 records, covering 70 hours (about 3 days) of system activity.
That’s a lot of valuable data!
In Second command you will not include the $MFT while parsing $J
MFTECmd.exe -f G:\G\$Extend\$J --csv "E:\Output for testing\Website investigation" --csvf usn.csv
I know I know you will asked Dean whats the difference so let me show you with output screenshot
With $MFT
Without $MFT
(As per screenshot its self explanatory: with $MFT you will get path of the exe without $MFT there is no path)
------------------------------------------------------------------------------------------------------------
***Now if you following me you should have seen i have created an article Name
Tracing Reused $MFT Entries Paths : Recovering Deleted File Paths Forensically with CyberCX UsnJrnl Rewind
****Good thing is if you use -m G:\G\$MFT while parsing $J file u do not have to download extra tool, you will get the same output
----------------------------------------------------------------------------------------------------------
Parsing Change Journals in Volume Snapshots
One of the coolest things about MFTECmd is that it lets you analyze volume shadow copies (VSS). Since Windows maintains snapshots of the volume, you can extract past versions of the $UsnJrnl and extend your timeline even further.
To do this, just add the --vss flag:
mftecmd.exe -f G:\$Extend\$J -m G:\C\$MFT --vss --csv "E:\Output for testing\Website investigation" --csvf usnvss.csvWhat’s Different Here?
Instead of running it on a single $J file, this command extracts data from all available volume snapshots.
The result?
Multiple CSVs, each containing records from different points in time.
If you’re mounting a full disk image using Arsenal Image Mounter, you can run this command on the mounted drive (e.g., G:) to retrieve historical data.
----------------------------------------------------------------------------------------------------------
Avoiding Duplicate Entries
Another handy feature in MFTECmd is the --dedupe option. This checks the hash of each file before parsing to avoid duplicate entries. While it’s rare for different snapshots to contain identical $J streams, this option saves time and storage when working with large datasets.
mftecmd.exe -f G:\$Extend\$J -m G:\C\$MFT --dedupe --vss --csv "E:\Output for testing\Website investigation" --csvf usnvss.csv----------------------------------------------------------------------------------------------------------
Alternative Tool: TZWorks' "JP"
If you're looking for another solid tool, TZWorks' "JP" is a great option for parsing the $UsnJrnl. It comes with advanced carving features, which means it can recover records even from partially corrupted or deleted change journals. This is super useful in forensic investigations where data integrity is an issue.
----------------------------------------------------------------------------------------------------------
Analyses of $J Output:
Understanding Column Headers:
As we dive into the USN journal, the column headers are mostly self-explanatory. However, there's one column that warrants special attention - the "Update Reasons" column. Here file create, file delete, and rename, which provide detailed information about each file-related action recorded in the journal.
Example Analysis:
Suppose we search for an executable file named "New Text Document.txt" and identify its entry number in the journal. By filtering the journal entries based on this entry number, we can observe a chronological timeline of events related to this file.
Reconstructing File Activity:
In this example, we observe a series of operations involving the file "New Text Document.txt" We witness its renaming to "creds.txt.txt,". This sequence of events, captured in the USN journal, provides a comprehensive narrative of the file's journey on the system.
-------------------------------------------------------------------------------------------------------------
Reference video:
-------------------------------------------------------------------------------------------------------------
Reference video:
Final Thoughts
The $UsnJrnl is a goldmine when investigating file system changes. Thanks to tools like MFTECmd and TZWorks' JP, forensic analysts can quickly extract, cross-reference, and analyze these logs with ease. Whether you're examining a live system, a forensic image, or volume snapshots, these tools help uncover what really happened on a system—no guesswork needed.
Happy hunting! 🔍🚀
Comments