USN Journal Analysis
The USN Journal ($Extend\$J) is part of the NTFS file system and records every change made to files and directories, creations, deletions, renames, and data writes.
Examining $J can reconstruct activity timelines even after logs or prefetch files have been cleared.
On NTFS volumes, the journal file resides at:
C:\$Extend\$J
| Tool | Purpose |
|---|---|
| MFTECmd | Parses $J along with $MFT and $LogFile to CSV |
Each journal record includes:
| Field | Description |
|---|---|
| Timestamp | When the event or update occurred |
| File Reference Number | Internal file ID used by NTFS |
| Reason Flags | What action occurred (create, delete, rename, etc.) |
| Parent File Ref | Directory the file belonged to |
| Security ID / Attributes | Permission or metadata modifications |
Common Reason Flags include:
| Flag | Meaning |
|---|---|
| 0x00000100 | File Create |
| 0x00000200 | File Delete |
| 0x00002000 | Data Overwrite |
| 0x00004000 | Data Extend |
| 0x00008000 | Data Truncation |
| 0x00010000 | File Rename (New Name) |
# Parse the $J journal into CSV for analysis
MFTECmd.exe -f "C:\$Extend\$J" --csv "out/"
# Combine Multiple Sources (MFT + J)
MFTECmd.exe -f "C:\$MFT" --csv "out/"
MFTECmd.exe -f "C:\$Extend\$J" --csv "out/"