OSForensics™ includes an $UsnJrnl viewer that parses and displays the log records stored in the NTFS $UsnJrnl volume change journal. This information is useful for identifying suspect files (eg. malware) that no longer exist in the file system or $MFT. The USN journal is updated whenever changes to files and directories are made to a volume including:
- File Metadata changes
- File Creations
- File Deletions
- File Overwrites
The $UsnJrnl viewer allows the user to search for records that match a specified text phrases.