Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform the timeline analysis by joining the retrieved data with the MFT file.
- Path to USNJRNL journal file. If you provided the
zippathoption, input the file path in the ZIP file.
- Path to the ZIP file.
After running the
ntfs-usnjrnl command, the output field is as follows:
|_time||Date||Time at which the event occurred|
|parent_file_no||Integer||Parent file number|
|parent_file_ref||Integer||Parent file reference|
|reason||List||Event behavior. Refer to Reason Flags.|
|usn||Integer||Update sequence number|
For more information, see the document USN_RECORD_V4 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v4
|0x00008000||One or more file/directory attributes or time stamps are changed.|
|0x80000000||The file or directory is closed.|
|0x00020000||The compression status has been changed (compressed or decompressed).|
|0x00000002||Data has been extended to the default $Data.|
|0x00000001||Data has been overwritten on the default $Data attribute.|
|0x00000004||Data has been truncated on the default $Data attribute.|
|0x00000400||The extended attributes of the file or directory have changed.|
|0x00040000||The encryption status has been changed (encrypted or decrypted).|
|0x00000100||A file or directory has been created for the first time.|
|0x00000200||A file or directory has been deleted.|
|0x00010000||A hard link has been created or deleted.|
|0x00004000||The index status has been changed.|
|0x00800000||The integrity set has been changed.|
|0x00000020||Data has been extended to the named default $Data attribute.|
|0x00000010||Data has been overwritten on the named default $Data attribute.|
|0x00000040||Data has been truncated on the named default data attribute.|
|0x00080000||The object ID has been changed.|
|0x00002000||The new name when the file or directory is renamed.|
|0x00001000||The old name when the file or directory is renamed.|
|0x00100000||The reparse point has been changed.|
|0x00000800||The access permission has been changed.|
|0x00200000||An attribute of the named $Data has been added, removed, or renamed.|
|0x00400000||The given stream is modified through a committed TxF transaction.|
Retrieve by providing the file path.
Retrieve when the
zippathoption is provided.
ntfs-usnjrnl zippath=/opt/logpresso/testdata/NTFS.zip NTFS/test_UsnJrnl
Load the deletion history of executable files.
ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl | search file_name == "*.exe" and string(reason) == "*DELETE*"
Analyze the timeline by joining with the MFT file.
ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl | streamjoin type=left file_no [ ntfs-mft /opt/logpresso/testdata/ntfs/test_MFT | rename no as file_no | fields file_no, file_path, in_use, is_dir ] | eval reason = strjoin(" | ", reason) | fields _time, file_path, reason, in_use, is_dir