Investigating USN Journal
28/07/2022 Thursday
The USN Journal (Update Sequence Number Journal) is the journaling functionality of NTFS. USN Journal maintains change logs made to the files on the NTFS and ReFS volumes. USN journal contains file or folder creation, deletion, and modification details. NTFS appends new records to the end of the USN Journal stream and it can be retrieved in the event of system crash or restore.
Digital Forensics Value of USN Journal Artifact
USN Journal has become a default with Windows Vista, and it is present on current Windows systems. The USN Journal records all the changes that have been occurred on a partition. By analyzing USN Journal we can get logs of creation, deletion, modification activities on files and filenames with timestamps (in millisecond precision). By just looking into timestamps and file names from the USN Journal we can infer what has happened on the system. Therefore, USN Journal is a valuable data source for timeline analysis of a Windows system.
Location of USN Journal Artifact
The USN Journal is located at: [root_directory] of NTFS - $Extend - $UsnJrnl.
Structure of USN Journal Artifact
The USN Journal is structured in two alternate data streams (ADS) and a file slack. The journaling streams are stored in $UsnJrnl:$J (ADS) and $UsnJrnl:$Max. The $J is a sparse file. All the journaling is stored sequentially in unsigned integer format in $J file. When the size of the USN Journal file exceeds the defined value, journal rotates and starts to overwrite on old data. You can check the size of the USN Journal by using the fsutil tool. Image below shows how to query details of the USN Journal.
Analyzing USN Journal Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract USN Journal artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select USN Journal artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the USN Journal artifacts in ArtiFast.
USN Journal Artifact
The artifact contains information related to USN Journal. The details you can view include:
- Name - Name of the file or directory associated with this record.
- Update Sequence Number - Update sequence number of this record.
- Reason Hex - Reason for the change in this file or directory journal in hexadecimal.
- Reason String - Reason for the change in this file or directory journal.
- MFT Reference Number - MFT reference number of the file or directory for which this record applies.
- Parent MFT Reference Number Parent - MFT reference number of the file or directory for which this record applies.
- File Attributes Hex - The attributes for the file or directory associated with this record in hexadecimal.
- File Attributes - The attributes for the file or directory associated with this record.
- Source Information Hex - More information about the source of this change in hexadecimal.
- Source Information - More information about the source of this change.
- Security ID - The unique security identifier assigned to the file or directory associated with this record.
- Timestamp Date/Time - Event Date/Time.
For more information or suggestions please contact: [email protected]
