Artifact Analysis: USN Journal ($UsnJrnl)

Note

Executive Summary: The Update Sequence Number (USN) Journal is a hidden NTFS feature that meticulously records changes made to files and directories on a volume. While designed to allow backup and indexing services to efficiently track system changes, for DFIR analysts, it acts as a low-level file system audit log. The USN Journal provides the exact timeline of a threat actor’s actions, definitively proving file creation, data staging, and most importantly, file deletion (anti-forensics).

1. Technical Mechanics: Tracking the Change

The USN Journal is not a permanent, infinite log. It is designed for efficiency and speed.

It is stored as a hidden NTFS metafile named $UsnJrnl and primarily consists of two alternate data streams:

• $Max: Contains metadata defining the maximum size of the journal.
• $J: The actual log records. This stream functions as a circular buffer.

Danger

Forensic Limitation: Because it is a circular buffer, once the allocated size is reached, the oldest entries are overwritten by new ones. Therefore, the USN Journal only contains the most recent file system modifications. The timeframe it covers can range from a few days to a few weeks, heavily depending on the volume’s activity level. Rapid acquisition during incident response is critical.

Whenever a file is created, modified, deleted, or renamed, a new entry is appended to the $J stream. Each entry is assigned an incrementing 64-bit Update Sequence Number (USN).

2. Reason Codes: The “What” of the Action

The most valuable forensic data within a USN entry is the Reason Code. Each entry is tagged with one or more flags describing the exact nature of the file system change.

Key Reason Codes for DFIR analysts include:

• USN_REASON_FILE_CREATE: A new file or directory was created.
• USN_REASON_FILE_DELETE: A file or directory was deleted. (Crucial for detecting payload wiping).
• USN_REASON_RENAME_OLD_NAME: A file was renamed (indicates the original name).
• USN_REASON_RENAME_NEW_NAME: A file was renamed (indicates the new name).
• USN_REASON_DATA_OVERWRITE: Data within the file was overwritten.
• USN_REASON_DATA_EXTEND: Data was appended to the file.
• USN_REASON_CLOSE: A file that was open for modification has been closed. This generates the final, consolidated record for a file interaction.

3. DFIR Investigation Scenarios

The USN Journal is a phenomenal tool for chronological reconstruction. When standard execution artifacts prove a payload ran, the USN Journal reveals what that payload did to the disk.

A. Reconstructing the Attack Timeline

By parsing and chronologically sorting the $J stream, analysts can watch the adversary’s playbook unfold step-by-step. Consider this classic ransomware/exfiltration scenario found in the logs:

14:32:05 | FILE_CREATE      | C:\PerfLogs\malware.exe
14:32:06 | FILE_CREATE      | C:\PerfLogs\lib.dll
14:35:10 | DATA_EXTEND      | C:\Users\Admin\Documents\secrets.zip
14:35:12 | RENAME_NEW_NAME  | C:\PerfLogs\data.bin (formerly secrets.zip)
14:36:00 | FILE_DELETE      | C:\PerfLogs\malware.exe

Analysis: The attacker dropped their payload and dependencies, staged sensitive data into an archive, disguised the archive as a benign .bin file in PerfLogs, and finally deleted their primary payload to evade basic forensic imaging.

B. Proving File Deletion

Proving that a file was explicitly deleted is challenging. Even if the file’s Master File Table (MFT) record is wiped or overwritten, the USN_REASON_FILE_DELETE entry in the USN Journal survives (until the buffer rolls over), providing definitive proof that the attacker attempted to destroy evidence.

C. Cross-Artifact Correlation

• With Amcache: If you find a suspicious file hash in Amcache, querying the USN Journal for that filename will reveal the exact second it hit the disk and when it was deleted.
• With Prefetch: If Prefetch indicates execution at 14:32:05, the USN Journal will reveal exactly which files were created or modified by that process in the subsequent milliseconds.

4. Tooling and Threat Hunting

Extracting and parsing the $J stream requires raw disk access or Volume Shadow Copy (VSS) extraction.

MFTECmd (Eric Zimmerman)

parse_usn_journal.cmd

:: MFTECmd parses both the $MFT and the $J stream of the USN Journal.
:: Extract the $J file using a tool like KAPE or FTK Imager, then parse:

MFTECmd.exe -f "C:\Forensics\Export\$J" --csv "C:\Forensics\Results" --csvf parsed_usn.csv

Splunk (Hunting Droppers & Deletion)

hunt_usn_rapid_delete.spl

# Assuming parsed USN logs are ingested.
# Hunt for executables dropped into suspicious folders and rapidly deleted (Anti-Forensics)
index=usn_journal (Reason="*FILE_CREATE*" OR Reason="*FILE_DELETE*")
| search FileName="*.exe" OR FileName="*.dll" OR FileName="*.ps1"
| search ParentPath="*\\PerfLogs\\*" OR ParentPath="*\\Users\\Public\\*" OR ParentPath="*\\Temp\\*"
| transaction FileName ParentPath startswith="*FILE_CREATE*" endswith="*FILE_DELETE*" maxspan=5m
| table _time, FileName, ParentPath, duration
| sort - _time

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: MFTECmd GitHub Repository
• Parent Artifact: MFT ($MFT) Analysis & Timestomping
• Related Artifact: Prefetch (.pf) Execution Analysis