Retrieves operational information such as the time of the event occurrence, file path and name, and file creation/deletion. You can perform the timeline analysis by joining the retrieved data with the MFT file.


ntfs-usnjrnl [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
Path to USNJRNL journal file. If you provided the zippath option, input the file path in the ZIP file.
Optional Parameters
Path to the ZIP file.


Output Fields

After running the ntfs-usnjrnl command, the output field is as follows:

_timeDateTime at which the event occurred
file_nameStringFile name
file_noIntegerFile number
file_refIntegerFile reference
parent_file_noIntegerParent file number
parent_file_refIntegerParent file reference
reasonListEvent behavior. Refer to Reason Flags.
usnIntegerUpdate sequence number
Reason Flags

For more information, see the document USN_RECORD_V4 structure (winioctl.h): https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v4

Reason flagHexDescription
BASIC_INFO_CHANGE0x00008000One or more file/directory attributes or time stamps are changed.
CLOSE0x80000000The file or directory is closed.
COMPRESSION_CHANGE0x00020000The compression status has been changed (compressed or decompressed).
DATA_EXTEND0x00000002Data has been extended to the default $Data.
DATA_OVERWRITE0x00000001Data has been overwritten on the default $Data attribute.
DATA_TRUNCATION0x00000004Data has been truncated on the default $Data attribute.
EA_CHANGE0x00000400The extended attributes of the file or directory have changed.
ENCRYPTION_CHANGE0x00040000The encryption status has been changed (encrypted or decrypted).
FILE_CREATE0x00000100A file or directory has been created for the first time.
FILE_DELETE0x00000200A file or directory has been deleted.
HARD_LINK_CHANGE0x00010000A hard link has been created or deleted.
INDEXABLE_CHANGE0x00004000The index status has been changed.
INTEGRITY_CHANGE0x00800000The integrity set has been changed.
NAMED_DATA_EXTEND0x00000020Data has been extended to the named default $Data attribute.
NAMED_DATA_OVERWRITE0x00000010Data has been overwritten on the named default $Data attribute.
NAMED_DATA_TRUNCATION0x00000040Data has been truncated on the named default data attribute.
OBJECT_ID_CHANGE0x00080000The object ID has been changed.
RENAME_NEW_NAME0x00002000The new name when the file or directory is renamed.
RENAME_OLD_NAME0x00001000The old name when the file or directory is renamed.
REPARSE_POINT_CHANGE0x00100000The reparse point has been changed.
SECURITY_CHANGE0x00000800The access permission has been changed.
STREAM_CHANGE0x00200000An attribute of the named $Data has been added, removed, or renamed.
TRANSACTED_CHANGE0x00400000The given stream is modified through a committed TxF transaction.


  1. Retrieve by providing the file path.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
  2. Retrieve when the zippath option is provided.

    ntfs-usnjrnl zippath=/opt/logpresso/testdata/NTFS.zip NTFS/test_UsnJrnl
  3. Load the deletion history of executable files.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
    | search file_name == "*.exe" and string(reason) == "*DELETE*"
  4. Analyze the timeline by joining with the MFT file.

    ntfs-usnjrnl /opt/logpresso/testdata/ntfs/test_UsnJrnl
    | streamjoin type=left file_no [
        ntfs-mft /opt/logpresso/testdata/ntfs/test_MFT
        | rename no as file_no
        | fields file_no, file_path, in_use, is_dir
    | eval reason = strjoin(" | ", reason)
    | fields _time, file_path, reason, in_use, is_dir