Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform analyze the timeline by joining the retrieved data with the MFT file.


ntfs-usnjrnl [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the USNJRNL journal file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\NTFS\*). If you provided the zippath option, input the USNJRNL journal file path in the ZIP file.
Optional Parameter
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding (default: utf-8). Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
Path to the ZIP file


Output Fields

The output field is as follows:

_timeDateTime at which the event occurred
file_nameStringFile name
file_noIntegerFile number
file_refIntegerFile reference
parent_file_noIntegerParent file number
parent_file_refIntegerParent file reference
reasonListEvent behavior. Refer to Reason Flags.
usnIntegerUpdate sequence number
Reason Flags

For more information, see the document USN_RECORD_V3 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2

Reason flagHexDescription
DATA_OVERWRITE0x00000001Data has been overwritten on the default $DATA attribute.
DATA_EXTEND0x00000002Data has been added to the default $DATA.
DATA_TRUNCATION0x00000004Data has been truncated on the default $DATA attribute.
NAMED_DATA_OVERWRITE0x00000010Data has been overwritten on the named default $DATA attribute.
NAMED_DATA_EXTEND0x00000020Data has been added to the named default $DATA attribute.
NAMED_DATA_TRUNCATION0x00000040Data has been truncated on the named default data attribute.
FILE_CREATE0x00000100The file or directory has been created for the first time.
FILE_DELETE0x00000200The file or directory is deleted.
EA_CHANGE0x00000400The extended attributes of the file or directory have changed.
SECURITY_CHANGE0x00000800The access permission has been changed.
RENAME_OLD_NAME0x00001000The old name when the file or directory is renamed.
RENAME_NEW_NAME0x00002000The new name when the file or directory is renamed.
INDEXABLE_CHANGE0x00004000The index status has been changed.
BASIC_INFO_CHANGE0x00008000One or more file/directory attributes or time stamps have been changed.
HARD_LINK_CHANGE0x00010000A hard link has been created or removed.
COMPRESSION_CHANGE0x00020000The compression status has been changed (compressed or decompressed).
ENCRYPTION_CHANGE0x00040000The encryption status has been changed (encrypted or decrypted).
OBJECT_ID_CHANGE0x00080000The object ID has been changed.
REPARSE_POINT_CHANGE0x00100000The reparse point has been changed.
STREAM_CHANGE0x00200000An attribute of the named $DATA has been added, removed, or renamed.
TRANSACTED_CHANGE0x00400000The given stream is modified through a committed TxF transaction.
INTEGRITY_CHANGE0x00800000The integrity setting has been changed.
CLOSE0x80000000The file or directory is closed.


  1. Retrieve information by providing the file path.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
  2. Retrieve information when the zippath option is provided.

    ntfs-usnjrnl zippath=D:\data\NTFS.zip NTFS\test_UsnJrnl
  3. Load the deletion history of executable files.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
    | search file_name == "*.exe" and string(reason) == "*DELETE*"
  4. Analyze the timeline by joining with the NTFS MFT file.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
    | streamjoin type=left file_no [ ntfs-mft D:\data\NTFS\test_MFT | rename no as file_no | fields file_no, file_path, in_use, is_dir ]
    | eval reason = strjoin(" | ", reason)
    | fields _time, file_path, reason, in_use, is_dir