Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform analyze the timeline by joining the retrieved data with the MFT file.
- Path to the USNJRNL journal file. Using a wildcard (
*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g.
D:\data\NTFS\*). If you provided the
zippathoption, input the USNJRNL journal file path in the ZIP file.
- Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding (default:
utf-8). Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
- Path to the ZIP file
The output field is as follows:
|_time||Date||Time at which the event occurred|
|parent_file_no||Integer||Parent file number|
|parent_file_ref||Integer||Parent file reference|
|reason||List||Event behavior. Refer to Reason Flags.|
|usn||Integer||Update sequence number|
For more information, see the document USN_RECORD_V3 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2
|Data has been overwritten on the default $DATA attribute.|
|Data has been added to the default $DATA.|
|Data has been truncated on the default $DATA attribute.|
|Data has been overwritten on the named default $DATA attribute.|
|Data has been added to the named default $DATA attribute.|
|Data has been truncated on the named default data attribute.|
|The file or directory has been created for the first time.|
|The file or directory is deleted.|
|The extended attributes of the file or directory have changed.|
|The access permission has been changed.|
|The old name when the file or directory is renamed.|
|The new name when the file or directory is renamed.|
|The index status has been changed.|
|One or more file/directory attributes or time stamps have been changed.|
|A hard link has been created or removed.|
|The compression status has been changed (compressed or decompressed).|
|The encryption status has been changed (encrypted or decrypted).|
|The object ID has been changed.|
|The reparse point has been changed.|
|An attribute of the named $DATA has been added, removed, or renamed.|
|The given stream is modified through a committed TxF transaction.|
|The integrity setting has been changed.|
|The file or directory is closed.|
Retrieve information by providing the file path.
Retrieve information when the
zippathoption is provided.
ntfs-usnjrnl zippath=D:\data\NTFS.zip NTFS\test_UsnJrnl
Load the deletion history of executable files.
ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl | search file_name == "*.exe" and string(reason) == "*DELETE*"
Analyze the timeline by joining with the NTFS MFT file.
ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl | streamjoin type=left file_no [ ntfs-mft D:\data\NTFS\test_MFT | rename no as file_no | fields file_no, file_path, in_use, is_dir ] | eval reason = strjoin(" | ", reason) | fields _time, file_path, reason, in_use, is_dir