TL;DR

In digital forensics and incident response, uncovering hidden artefacts often makes the difference between a stalled investigation and a break-through. One such powerful yet under-appreciated artefact is the USN Journal (Update Sequence Number Journal), an NTFS feature that quietly logs every change on a volume, and can be a forensic goldmine, especially when tackling anti-forensic techniques like timestomping.

ntfs

The USN Journal should be part of every DFIR investigator’s toolkit. It offers accurate, tamper-resistant logs, enables detection of anti-forensic techniques, enriches timeline analysis, and even supports real-time monitoring. Whether you’re reconstructing a deleted file timeline or uncovering timestomping, leveraging the USN Journal can give you clarity where other artifacts fall short.

What is the USN Journal?

The USN Journal is a change-logging mechanism built into NTFS volumes, first introduced with NTFS v3.0 (Windows 2000). Each NTFS volume with journaling enabled maintains a log file located in \$Extend\$UsnJrnl. This journal uses two alternate data streams:

Every record in the USN Journal includes:

  • A 64-bit USN identifier
  • The filename
  • The parent MFT (Master File Table) reference
  • A bit-flag reason code (e.g. file created, deleted, renamed, metadata changed)
  • The timestamp of the change.

This means that every file event leaves a trace—even if the file itself is later deleted or timestomped—making it invaluable for timeline reconstruction and anti-forensic detection.

Why is useful in DFIR

1. Timeline reconstruction, even if files disappear

Because the USN Journal logs each event sequentially and remains even if files are deleted, DFIR investigators can reconstruct event sequences that other artifacts (like file contents or event logs) may no longer reflect (Velociraptor – The Windows USN Journal).

2. Spotting timestomping techniques

Attackers often use timestomping—altering a file’s MACB timestamps to cover tracks. However, the USN Journal records the actual metadata change event. For example, if a file’s timestamp is reverted to 1996, but the USN Journal shows a “BasicInfoChange” at the actual time of manipulation, that mismatch is a red flag (Medium – Determining Time-Stomping Activities with USN Journal).

3. Extending prefetch insight

Prefetch files store only the last eight execution timestamps of an application. But each prefetch file update leaves a record in the USN Journal (.pf gets updated). Correlating those can provide a much more extensive execution history (Haboob DFIR – Advanced USN Journal Forensics).

4. Reconstructing deleted file paths (“Journal Rewind”)

Even when parent folders or MFT entries are overwritten, the USN Journal can enable path reconstruction by reading events in reverse and tracking parent-child relationships across time (CyberCX – NTFS USNJrnl Rewind).

Use Cases & Tools

A) Detecting timestomping

A great walkthrough is provided in Determining Time-Stomping Activities with USN Journal:

  1. A dummy file, MyStory.docx, is created with normal timestamps.
  2. A tool like nTimestomp changes the MACB timestamps to an arbitrary past date.
  3. Using MFTECmd, the \$J stream is parsed along with the MFT to resolve file paths and analyze events.
  4. The USN Journal reveals a “BasicInfoChange” at the actual time of timestomping, exposing the manipulation despite the altered timestamps visible in Explorer.

B) Tracking a fictional intrusion (e.g. Stuxnet Scenario)

In the post Timeline Analysis using $USNJrnl (Living off the land Wipers – Stuxnet Case Study), the author constructs a toy scenario:

  • A hacker (dubbed “Jinmori”) uses SDelete, a wiper that renames a file multiple times (AAA.AAA, BBB.BBB, etc.), then deletes it.
  • Analysts extract \$USNJrnl:$J and parse it with MFTECmd, merging with MFT entries and using Timeline Explorer.
  • The USN entries show all file rename names, allowing investigators to piece together the entire timeline and link it to file wiping behavior.

C) Advanced forensic techniques and tools

The Haboob DFIR Team in Advanced USN Journal Forensics highlights several key techniques and limitations:

  • Tools like MFTECmd and UsnJrnl2Csv help parse and convert \$J into actionable data.
  • The USN Journal typically retains approximately 20 days of changes on active volumes (check via fsutil usn queryjournal C:).
  • Use cases include:
    • Retrieving evidence of deleted files.
    • Detecting timestomping via “BasicInfoChange” flags.
    • Enhancing prefetch artifact history by correlating .pf updates.

D) Automated live monitoring (Velociraptor)

The Velociraptor framework brings realtime power to USN Journal analysis:

  • Its parse_usn() plugin parses \$J directly to extract entries including path and change reasons.
  • Its watch_usn() plugin enables real-time monitoring, e.g., for detecting new file executions or tracking hash changes as soon as they appear.

This opens possibilities for proactive detection and automation during incidents.

Key Takeaways

Feature Value in DFIR
USN Journal \$J stream Records file system changes—even after deletion
Reason codes (e.g. BasicInfoChange) Reveal timestamp manipulation
MFT correlation Allows full-path resolution
Prefetch enhancement Extends provenance beyond 8 runs
Journal rewind Reconstructs file paths of deleted or overwritten entries
Velociraptor Enables live monitoring and detection

In essence, the USN Journal is a powerful, persistent forensic log residing at a level of the file system that most attackers overlook. It tracks changes, not just states, so it can reveal manipulation, even when presented data has been sanitized.