$UsnJrnl ($J)
What is $UsnJrnl ($J)?
$UsnJrnl ($J)The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
The $UsnJrnl is a sparse file stored under the NTFS metadata directory $Extend\$UsnJrnl, with the operational stream $J holding individual USN records and $Max storing journal metadata. Each record captures the file name, parent reference, USN reason flags (FILE_CREATE, RENAME_NEW_NAME, DATA_OVERWRITE, FILE_DELETE, and many others), and a timestamp. Because the journal logs every change on a volume, analysts can reconstruct the lifecycle of an attacker's tools even when the binaries themselves were wiped: file drops, staging, archiving, and deletion all leave USN traces. MFTECmd's $J parser produces CSV timelines suitable for super-timeline integration with Plaso or Timeline Explorer.
● Examples
- 01
Reconstructing how an attacker created, renamed, and zipped a staging folder before exfiltration.
- 02
Detecting wiper activity through a burst of FILE_DELETE reason codes against business-critical paths.
● Frequently asked questions
What is $UsnJrnl ($J)?
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion. It belongs to the Forensics & IR category of cybersecurity.
What does $UsnJrnl ($J) mean?
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
How does $UsnJrnl ($J) work?
The $UsnJrnl is a sparse file stored under the NTFS metadata directory $Extend\$UsnJrnl, with the operational stream $J holding individual USN records and $Max storing journal metadata. Each record captures the file name, parent reference, USN reason flags (FILE_CREATE, RENAME_NEW_NAME, DATA_OVERWRITE, FILE_DELETE, and many others), and a timestamp. Because the journal logs every change on a volume, analysts can reconstruct the lifecycle of an attacker's tools even when the binaries themselves were wiped: file drops, staging, archiving, and deletion all leave USN traces. MFTECmd's $J parser produces CSV timelines suitable for super-timeline integration with Plaso or Timeline Explorer.
How do you defend against $UsnJrnl ($J)?
Defences for $UsnJrnl ($J) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for $UsnJrnl ($J)?
Common alternative names include: UsnJrnl, Change Journal, $J.
● Related terms
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 1034
Shimcache (AppCompatCache)
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 766
Order of Volatility
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
● See also
- № 1031Shellbags
- № 568Jump Lists