Introduction
In the ever-evolving landscape of digital investigative analysis and incident response, investigators rely on a multitude of artifacts to piece together what occurred on a Windows system. Some artifacts answer narrow questions: whether a program executed, whether a file was downloaded, whether a user opened a document, or whether data was moved to removable media. The strongest analysis rarely rests on one artifact. It comes from correlating independent records until they form a coherent and testable account of activity.
The Update Sequence Number Journal, commonly called the USN Journal, USNJ, or Change Journal, is exceptionally valuable in that process. It is a rolling NTFS record of changes to files, directories, and streams. It does not preserve the contents of those objects, and it does not identify the human who caused a change. What it can preserve is a highly granular sequence of file-system events: a temporary file created, data appended, a browser download renamed, an archive extracted, a document deleted, or a counter-forensic utility repeatedly renaming a target before removal.
The USN Journal adds the capability to identify file activity that may not be apparent from the current file system alone. It can reveal deleted filenames, evidence of counter-forensic activity, and the tell-tale sequence of operations associated with downloads, extraction, application execution, and the Recycle Bin. Used carefully, it helps the analyst move beyond a static inventory of files and reconstruct how the system changed over time.
What the USN Journal Is
The USN Journal has been a component of NTFS since Windows 2000 and is enabled by default on modern Windows system volumes. Microsoft designed it so applications such as backup software, indexing services, replication systems, and security products could determine what changed without repeatedly scanning every file on the volume.
On an NTFS volume, the journal is stored in the $UsnJrnl metadata file under the $Extend directory. Its $J named data stream contains the change records, while the $Max stream contains journal configuration information. Forensic collections and tools sometimes expose the $J stream as a separate extracted file, which is why an examiner may encounter a path such as C:\$Extend\$J in a mounted triage image.
Each record is assigned an increasing Update Sequence Number. The journal is rolling rather than permanent: as new activity accumulates, older records are eventually removed according to the journal's configured size and allocation behavior. Consequently, the available time span varies widely according to system activity, journal configuration, and whether the journal was deleted or reset.
What a USN Record Contains
A parsed USN record normally contains enough metadata to identify the affected object, place the event in time, and describe the category of change. The exact fields depend on the record version and the parser, but the following are central to forensic analysis.
| Field | Forensic significance |
|---|---|
| Update timestamp | The system-recorded time associated with the journal entry. It must be interpreted in the parser's displayed time zone and correlated with other time sources. |
| Update Sequence Number | A monotonically increasing journal position that is especially useful for preserving event order when multiple records share the same displayed second. |
| Entry number / file reference | The Master File Table record number assigned to the file or directory. |
| Sequence number | A value that increments when an MFT record is reused, distinguishing different objects that occupied the same record number at different times. |
| Parent entry / sequence | The MFT reference for the parent directory at the time of the event; these values can support path reconstruction. |
| Filename and extension | The object name recorded when the change occurred. This may preserve a name after the current file has been deleted. |
| Update reason | One or more bit flags describing the category of change, such as creation, deletion, rename, data extension, overwrite, or closure. |
| File attributes | Attributes such as directory, archive, hidden, system, reparse point, sparse file, or not-content-indexed. |
MFT Entry Numbers and Sequence Numbers
The combination of an MFT entry number and sequence number is critical. NTFS may reuse a deleted file's MFT record for a newly created object. When reuse occurs, the sequence number increments. An analyst who correlates a historical USN record only to the current MFT entry number, without checking the sequence number, can associate the event with the wrong file or the wrong parent path.
This explains why a parser may populate a path for a live object but leave the parent path blank for an older deleted record. The current MFT no longer contains the historical directory relationship. Reverse-processing tools can sometimes reconstruct that relationship by walking backward through the journal and preserving prior directory mappings.
Reading the Update Reason Flags
The Update Reason field is the journal's vocabulary. A single record may contain one reason or a combination of reasons separated by a delimiter. The flag describes the type of file-system change; it does not explain the user's intent, identify the initiating process, or prove that a human personally performed the action.
| Reason flag | What it can indicate |
|---|---|
| FILE_CREATE | A file or directory was created as an NTFS object. This does not necessarily mean all content had been written at that moment. |
| FILE_DELETE | The object was deleted or its record was marked for deletion. The filename may remain in the journal even when the file content is unavailable. |
| DATA_EXTEND | The unnamed data stream grew, commonly as data was appended during a download, copy, extraction, or save operation. |
| DATA_OVERWRITE | Existing bytes in the unnamed data stream were overwritten. |
| NAMED_DATA_EXTEND / NAMED_DATA_OVERWRITE | A named stream, such as an alternate data stream, grew or was overwritten. |
| RENAME_OLD_NAME | The journal recorded the object's former name during a rename or move. |
| RENAME_NEW_NAME | The journal recorded the object's new name during a rename or move. |
| BASIC_INFO_CHANGE | Basic metadata or file attributes changed. Additional artifacts are needed to determine precisely what changed. |
| OBJECT_ID_CHANGE / STREAM_CHANGE | The object identifier or stream configuration changed. |
| CLOSE | The file handle associated with the preceding change was closed. Combined records often mark the completion of a write stage. |
Reconstructing a Browser Download
The granularity of the journal becomes apparent when an analyst follows one object through successive records. In the training dataset used for this article, the Chrome browser downloaded Sysinternals SDelete. The journal preserved the sequence from a temporary browser file to the completed ZIP archive.
- Temporary object created. A temporary file was created while the browser received data.
- Partial-download name assigned. The temporary object was renamed to a Chrome
.crdownloadfilename. - Final filename assigned. The partial-download object was renamed to SDelete.zip.
- Data stream extended. Repeated data-extension and stream-change records showed the file growing as additional bytes were written.
- Handle closed. A combined change-and-close record marked completion of a write stage.
The USN Journal established the order and timing of the file-system operations. Correlation with the Master File Table and the Zone.Identifier alternate data stream added provenance: the file was treated as Internet-sourced, with the referring and host URLs preserved in the alternate data stream. No single artifact told the entire story; the journal supplied the sequence, while the MFT and alternate data stream supplied current metadata and download context.
Identifying Archive Extraction
Archive extraction creates a recognizable cluster of file-system events. A directory is created, followed by creation and data-write records for the extracted contents. In the SDelete example, the journal showed creation of the SDelete directory and the extraction of Eula.txt, sdelete.exe, and sdelete64.exe. The event sequence allowed the analyst to determine when the archive was extracted even if the original ZIP or extracted files were later deleted.
This technique is not limited to ZIP files. The same analytical approach can identify files extracted from compound or compressed containers such as 7z archives, application installers, self-extracting executables, and other packages, provided the relevant events remain within the journal's retention window.
Revealing Counter-Forensic Secure Deletion
A secure-deletion utility may remove or overwrite the content so effectively that traditional recovery is impossible. The absence of recoverable content does not mean the activity left no evidence. The USN Journal records metadata changes, and those records may survive the destruction of the target data.
In the controlled SDelete dataset, the version used repeatedly renamed target files using letter-filled names before deletion. Filtering the journal for the corresponding rename pattern exposed the sequence and allowed the analyst to scroll backward to the original filename. Four targets were identified despite the utility's attempt to obliterate them:
- Earthforce SA-26 Thunderbolt Star Fury.docx
- Earth_SA-26_Thunderbolt.jpg
- Eula.txt
- sdelete.exe
The evidentiary conclusion must be stated precisely. The journal showed a sequence consistent with the tested version of SDelete and preserved the prior names. It did not recover the overwritten file contents, and the filename alone does not establish what the content contained. Tool behavior can also change between versions; the pattern should therefore be validated against the specific executable, version, and surrounding artifacts whenever possible.
Reconstructing Recycle Bin Activity
When a user deletes a file through Windows Explorer, NTFS normally moves and renames objects within the user's $Recycle.Bin directory. The Recycle Bin commonly uses paired $R and $I files: the $R object stores the recycled content, while the $I object stores metadata such as the original path and deletion time. If the Recycle Bin is later emptied, those current artifacts may no longer be available, but the journal may still preserve the rename and move events.
By locating RENAME_OLD_NAME and RENAME_NEW_NAME records for the $R objects and examining adjacent entries, the analyst can often recover the original filename, the time it was placed in the Recycle Bin, and, in favorable cases, the original directory. In the training dataset, this method identified previously recycled installers, documents, a BitLocker recovery-key text file, and the SDelete executable.
The method also exposes an important limitation. When the deleted object's MFT record was subsequently reused, a present-time MFT correlation could no longer resolve the historical parent path. The entry number remained the same, but the sequence number had incremented and the current MFT described a different object. Historical path reconstruction required a reverse journal analysis rather than a simple lookup against the current MFT.
Application Execution and Supporting Artifacts
The USN Journal is not an application-execution log, but it can provide powerful corroboration. Windows Prefetch files, application databases, logs, caches, and output files frequently change when a program executes. A journal record showing creation or modification of an application-specific artifact can establish that the artifact changed at a particular point in the journal sequence, even when the current artifact retains only a limited set of internal timestamps.
For example, a creation or modification event involving a Prefetch file may corroborate execution of the associated executable. Journal entries associated with extracted program files, newly created output, temporary files, or deleted staging data can further define what the program did. The analyst should correlate these records with Prefetch metadata, Amcache, Shimcache, event logs, SRUM, browser artifacts, process-creation telemetry, and the executable itself before attributing execution to a particular user or purpose.
A Practical Analysis Workflow
A disciplined workflow reduces the risk that a large journal becomes an unmanageable spreadsheet. The following approach is effective for both casework and incident-response triage.
- Preserve the source artifacts. Acquire the $J stream and the corresponding $MFT from the same volume and forensic point in time. Preserve hashes and document the acquisition method.
- Parse the journal with MFT correlation. Use a parser that retains the raw reference numbers, sequence numbers, reason flags, attributes, and source ordering. Supplying the $MFT allows the tool to resolve many parent paths.
MFTECmd.exe -f "F:\C\$Extend\$J" -m "F:\C\$MFT" --csv "G:\Exercises\USNJ" - Establish the retention window. Identify the oldest and newest available journal timestamps and document any apparent gaps or resets before interpreting the absence of an event.
- Filter around investigative anchors. Begin with known filenames, extensions, directories, executable names, update reasons, or time ranges. Then remove filters and examine the surrounding sequence.
- Follow the complete lifecycle. Trace temporary names, old and new rename records, data-extension events, closure, deletion, and related child objects rather than treating one row as the event.
- Correlate independent artifacts. Compare the journal with the MFT, $I30 directory entries, Zone.Identifier streams, Prefetch, event logs, Recycle Bin metadata, browser databases, link files, jump lists, and application-specific records.
- Reconstruct unresolved paths when justified. If MFT reuse prevents current-path resolution, use entry and sequence numbers and a reverse-processing method to reconstruct historical parent relationships.
py usnjrnl_rewind.py -m "G:\Exercises\USNJ\[DATE]_MFTECmd_$MFT_Output.csv" -u "G:\Exercises\USNJ\[DATE]_MFTECmd_$J_Output.csv" "G:\Exercises\USNJ" - Validate material findings. Confirm critical events manually or with a second independent tool, preserve the filtered and unfiltered views, and distinguish observed records from analytical inference in the report.
Analytical Limitations
The USN Journal is powerful precisely because it is granular, but its limitations are equally important. A defensible analysis should account for each of the following.
- Rolling retention: Older records are discarded. No matching entry does not prove that an event never occurred.
- Metadata, not content: The journal normally preserves names and change metadata, not the bytes that were written, overwritten, or deleted.
- Not a read-access audit: A file can be read without a journal entry if the read causes no tracked change.
- No direct human attribution: The journal records volume activity. It does not identify the person, process, or intent responsible without corroboration.
- Clock dependence: Timestamps reflect the system clock and must be evaluated with time-zone settings, clock-change events, and other temporal evidence.
- Path-resolution gaps: Deleted objects, directory changes, and MFT-record reuse can prevent a current MFT from resolving a historical path.
- Journal reset or deletion: An administrator, utility, operating-system action, or anti-forensic actor can delete or recreate the journal. Journal identifiers and gaps may be significant.
- Parser interpretation: Different tools may label combined reason flags or resolve paths differently. Preserve raw identifiers and validate important rows.
Reporting the Findings
The most credible report separates the system record from the analyst's inference. Instead of writing, "The user downloaded and securely deleted the document," write what the evidence establishes and then explain the correlation:
This formulation is more than cautious wording. It tells the reader which artifact recorded each fact, identifies what was independently corroborated, and clearly marks the point where interpretation begins.
Conclusion
The USN Journal is one of the best examples of why digital investigative analysis must go beyond searching for current files. A file may be gone, its data overwritten, its Recycle Bin emptied, or its MFT record reused, yet the volume may still preserve a detailed sequence of changes that reveals how the activity unfolded.
Its value is greatest when used as part of a correlated analysis. The journal can establish order, timing, filenames, parent relationships, reason flags, and the lifecycle of objects. The MFT can add current metadata and alternate data streams. Prefetch and other execution artifacts can provide program context. Browser and Recycle Bin artifacts can add provenance and user-interface context. Together, these records can transform disconnected rows into a coherent and defensible account.
The central lesson is not that the USN Journal proves everything. It is that the journal often preserves the change history needed to ask better questions, locate additional evidence, test competing explanations, and explain what happened with precision. For the analyst willing to follow the sequence instead of stopping at the filename, the USN Journal can be a forensic powerhouse.
References and Further Reading
- Microsoft Learn: Change Journals, Microsoft overview of NTFS change journals.
- Microsoft Learn: USN_RECORD_V2 structure, record fields and reason-mask structure.
- Microsoft Learn: Creating, Modifying, and Deleting a Change Journal, journal administration and lifecycle.
- Eric Zimmerman: MFTECmd, open-source parser for the NTFS Master File Table and USN Journal.
- Eric Zimmerman: Timeline Explorer, filtering and timeline-analysis utility commonly used with parsed journal output.
Source-material note: The detailed examples in this article were drawn from the author's USN Journal instructional exercises, including the Rocba SDelete and Recycle Bin datasets. Times and filenames are training-scenario values and should not be generalized as universal behavior across all Windows or tool versions.
Author's Note
The views, opinions, and analysis expressed in this article are solely those of the author and do not reflect, represent, or constitute the official position, policy, or endorsement of the author's employer or of any agency or organization with which the author is affiliated. The controlled test described herein was conducted independently for research and educational purposes. Nothing in this article constitutes legal advice or an official statement on behalf of any entity.
This article is intended to encourage validation, critical thinking, and defensible digital investigative analysis. Throughout, observations described as facts reflect artifacts recorded on that system, while statements of forensic implication and professional opinion are identified as such.