← Back to blog

$UsnJrnl and $MFT: pairing journal with file table

· 2 min read

$MFT is a snapshot. It describes what every file looks like right now — its metadata, its data location, its allocation status. What it does not record is the sequence of changes that produced this state. For that, NTFS keeps a second artifact: the Update Sequence Number Journal, $UsnJrnl.

What $UsnJrnl records

Every time a file is created, modified, renamed, or deleted, NTFS appends a fixed-size record to $UsnJrnl describing the event. Fields include:

  • The USN (a monotonically increasing 64-bit number)
  • The MFT record number of the changed file
  • The parent directory's record number
  • A reason mask: FILE_CREATE, DATA_OVERWRITE, RENAME_OLD_NAME, CLOSE, FILE_DELETE, and many others
  • A timestamp

The result is a chronological log of every meaningful filesystem event since the journal was created or last rotated. On a typical system, that covers days to weeks.

Where it lives

$UsnJrnl is a regular NTFS file with its data in the named data stream $J. It sits in the special $Extend directory alongside other system metadata files like $LogFile and $Quota.

You can grab it with the same tools that grab $MFT:

  • KAPE's MFT target includes $UsnJrnl
  • FTK Imager can export it from [NTFS volume]/$Extend/$UsnJrnl:$J
  • Forensic disk image tools read it directly from the raw clusters

How it complements $MFT

Pair the two and patterns emerge that neither alone would show:

  • A file you cannot find on disk but appears in $UsnJrnl — created and deleted between snapshots, but the journal kept the record
  • The exact order of renames during a ransomware attackOPEN, DATA_OVERWRITE, RENAME_OLD_NAME, RENAME_NEW_NAME, CLOSE
  • Whether a "modified" file was actually rewritten or just touched$UsnJrnl reasons distinguish data overwrite from metadata change

For timeline reconstruction, the workflow is usually: walk $MFT for the present state, then walk $UsnJrnl for the history of changes that produced it.

Limits

$UsnJrnl rotates. By default the journal is 32 MB, holding a few days of activity on a busy system. Older events fall off the end. If you arrive at an investigation more than a week after the event, expect gaps — and lean harder on $MFT slack and $LogFile.

Related posts

External resources