ntfs-usnjrnl

Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform the timeline analysis by joining the retrieved data with the MFT file.

Syntax

ntfs-usnjrnl [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
FILE_PATH
Path to USNJRNL journal file. If you provided the zippath option, input the file path in the ZIP file.
Optional Parameters
zippath=ZIPFILE_PATH
Path to the ZIP file.

Description

Output Fields

After running the ntfs-usnjrnl command, the output field is as follows:

FieldTypeDescription
_timeDateTime at which the event occurred
file_nameStringFile name
file_noIntegerFile number
file_refIntegerFile reference
parent_file_noIntegerParent file number
parent_file_refIntegerParent file reference
reasonListEvent behavior. Refer to Reason Flags.
usnIntegerUpdate sequence number
Reason Flags

For more information, see the document USN_RECORD_V4 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v4

Reason flagHexDescription
BASIC_INFO_CHANGE0x00008000One or more file/directory attributes or time stamps are changed.
CLOSE0x80000000The file or directory is closed.
COMPRESSION_CHANGE0x00020000The compression status has been changed (compressed or decompressed).
DATA_EXTEND0x00000002Data has been extended to the default $Data.
DATA_OVERWRITE0x00000001Data has been overwritten on the default $Data attribute.
DATA_TRUNCATION0x00000004Data has been truncated on the default $Data attribute.
EA_CHANGE0x00000400The extended attributes of the file or directory have changed.
ENCRYPTION_CHANGE0x00040000The encryption status has been changed (encrypted or decrypted).
FILE_CREATE0x00000100A file or directory has been created for the first time.
FILE_DELETE0x00000200A file or directory has been deleted.
HARD_LINK_CHANGE0x00010000A hard link has been created or deleted.
INDEXABLE_CHANGE0x00004000The index status has been changed.
INTEGRITY_CHANGE0x00800000The integrity set has been changed.
NAMED_DATA_EXTEND0x00000020Data has been extended to the named default $Data attribute.
NAMED_DATA_OVERWRITE0x00000010Data has been overwritten on the named default $Data attribute.
NAMED_DATA_TRUNCATION0x00000040Data has been truncated on the named default data attribute.
OBJECT_ID_CHANGE0x00080000The object ID has been changed.
RENAME_NEW_NAME0x00002000The new name when the file or directory is renamed.
RENAME_OLD_NAME0x00001000The old name when the file or directory is renamed.
REPARSE_POINT_CHANGE0x00100000The reparse point has been changed.
SECURITY_CHANGE0x00000800The access permission has been changed.
STREAM_CHANGE0x00200000An attribute of the named $Data has been added, removed, or renamed.
TRANSACTED_CHANGE0x00400000The given stream is modified through a committed TxF transaction.

Usage

  1. Retrieve by providing the file path.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
    
  2. Retrieve when the zippath option is provided.

    ntfs-usnjrnl zippath=/opt/logpresso/testdata/NTFS.zip NTFS/test_UsnJrnl
    
  3. Load the deletion history of executable files.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
    | search file_name == "*.exe" and string(reason) == "*DELETE*"
    
  4. Analyze the timeline by joining with the MFT file.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
    | streamjoin type=left file_no [
        ntfs-mft /opt/logpresso/testdata/ntfs/test_MFT
        | rename no as file_no
        | fields file_no, file_path, in_use, is_dir
    ]
    | eval reason = strjoin(" | ", reason)
    | fields _time, file_path, reason, in_use, is_dir