NTFS Journal Viewer – Tool to Investigate NTFS Changes

NTFS Journal Viewer (JV) is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.

The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https://github.com/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.

NTFS Journal Viewer

The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation. The $UsnJrnl:$J contains useful information as detailed below:

  • File/directory name
  • File/directory attributes
  • USN Reason
  • Time of activity
  • USN reference number
  • MFT reference number
  • MFT parent reference number
  • Security ID
  • Source info

You can read more and download this tool over here: http://www.orionforensics.com/w_en_page/

Share