$UsnJrnl ($J)
What is $UsnJrnl ($J)?
$UsnJrnl ($J)The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
The $UsnJrnl is a sparse file stored under the NTFS metadata directory $Extend$UsnJrnl, with the operational stream $J holding individual USN records and $Max storing journal metadata. Each record captures the file name, parent reference, USN reason flags (FILE_CREATE, RENAME_NEW_NAME, DATA_OVERWRITE, FILE_DELETE, and many others), and a timestamp. Because the journal logs every change on a volume, analysts can reconstruct the lifecycle of an attacker's tools even when the binaries themselves were wiped: file drops, staging, archiving, and deletion all leave USN traces. MFTECmd's $J parser produces CSV timelines suitable for super-timeline integration with Plaso or Timeline Explorer.
● Examples
- 01
Reconstructing how an attacker created, renamed, and zipped a staging folder before exfiltration.
- 02
Detecting wiper activity through a burst of FILE_DELETE reason codes against business-critical paths.
● Frequently asked questions
What is $UsnJrnl ($J)?
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion. It belongs to the Forensics & IR category of cybersecurity.
What does $UsnJrnl ($J) mean?
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
How do you defend against $UsnJrnl ($J)?
Defences for $UsnJrnl ($J) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for $UsnJrnl ($J)?
Common alternative names include: UsnJrnl, Change Journal, $J.