$UsnJrnl Viewer

Viewer the entries stored in the USN Journal

OSForensics™ includes an $UsnJrnl viewer that parses and displays the log records stored in the NTFS $UsnJrnl volume change journal. This information is useful for identifying suspect files (eg. malware) that no longer exist in the file system or $MFT. The USN journal is updated whenever changes to files and directories are made to a volume including:

  • File Metadata changes
  • File Creations
  • File Deletions
  • File Overwrites

The $UsnJrnl viewer allows the user to search for records that match a specified text phrases.

Conference banner