ntfs-usnjrnl

Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform analyze the timeline by joining the retrieved data with the MFT file.

Syntax

ntfs-usnjrnl [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
Path to the USNJRNL journal file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\NTFS\*). If you provided the zippath option, input the USNJRNL journal file path in the ZIP file.
Optional Parameter
zipcharset=CHARSET
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding (default: utf-8). Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath=ZIPFILE_PATH
Path to the ZIP file

Description

Output Fields

The output field is as follows:

FieldTypeDescription
_timeDateTime at which the event occurred
file_nameStringFile name
file_noIntegerFile number
file_refIntegerFile reference
parent_file_noIntegerParent file number
parent_file_refIntegerParent file reference
reasonListEvent behavior. Refer to Reason Flags.
usnIntegerUpdate sequence number
Reason Flags

For more information, see the document USN_RECORD_V3 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2

Reason flagHexDescription
DATA_OVERWRITE0x00000001Data has been overwritten on the default $DATA attribute.
DATA_EXTEND0x00000002Data has been added to the default $DATA.
DATA_TRUNCATION0x00000004Data has been truncated on the default $DATA attribute.
NAMED_DATA_OVERWRITE0x00000010Data has been overwritten on the named default $DATA attribute.
NAMED_DATA_EXTEND0x00000020Data has been added to the named default $DATA attribute.
NAMED_DATA_TRUNCATION0x00000040Data has been truncated on the named default data attribute.
FILE_CREATE0x00000100The file or directory has been created for the first time.
FILE_DELETE0x00000200The file or directory is deleted.
EA_CHANGE0x00000400The extended attributes of the file or directory have changed.
SECURITY_CHANGE0x00000800The access permission has been changed.
RENAME_OLD_NAME0x00001000The old name when the file or directory is renamed.
RENAME_NEW_NAME0x00002000The new name when the file or directory is renamed.
INDEXABLE_CHANGE0x00004000The index status has been changed.
BASIC_INFO_CHANGE0x00008000One or more file/directory attributes or time stamps have been changed.
HARD_LINK_CHANGE0x00010000A hard link has been created or removed.
COMPRESSION_CHANGE0x00020000The compression status has been changed (compressed or decompressed).
ENCRYPTION_CHANGE0x00040000The encryption status has been changed (encrypted or decrypted).
OBJECT_ID_CHANGE0x00080000The object ID has been changed.
REPARSE_POINT_CHANGE0x00100000The reparse point has been changed.
STREAM_CHANGE0x00200000An attribute of the named $DATA has been added, removed, or renamed.
TRANSACTED_CHANGE0x00400000The given stream is modified through a committed TxF transaction.
INTEGRITY_CHANGE0x00800000The integrity setting has been changed.
CLOSE0x80000000The file or directory is closed.

Usage

  1. Retrieve information by providing the file path.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
    
  2. Retrieve information when the zippath option is provided.

    ntfs-usnjrnl zippath=D:\data\NTFS.zip NTFS\test_UsnJrnl
    
  3. Load the deletion history of executable files.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
    | search file_name == "*.exe" and string(reason) == "*DELETE*"
    
  4. Analyze the timeline by joining with the NTFS MFT file.

    ntfs-usnjrnl D:\data\NTFS\test_UsnJrnl
    | streamjoin type=left file_no [ ntfs-mft D:\data\NTFS\test_MFT | rename no as file_no | fields file_no, file_path, in_use, is_dir ]
    | eval reason = strjoin(" | ", reason)
    | fields _time, file_path, reason, in_use, is_dir