search
LinkedinTryHackme

Parsing the MFT and USN Journal

hashtag
What Are They & Why They Matter

  1. MFT (Master File Table)

    • It’s the core metadata table on an NTFS volume — each file or directory gets a record.

    • MFT records include attributes like $STANDARD_INFORMATION (timestamps), $FILE_NAME, and $DATA.

    • Through MFT, you can recover: file metadata, deleted or unlinked records, alternate data streams, and reconstruct a file timeline.

  2. USN Journal ($UsnJrnl)

    • The Update Sequence Number (USN) Journal logs all file system metadata changes: creates, deletes, renames, writes, etc.

    • Its path is typically \$Extend\$UsnJrnl:$J on NTFS.

    • Forensics value: even if a file is later deleted or modified, the USN Journal can show a history of those actions.

hashtag
Tools & Techniques for Parsing

  • MFTECmd (Eric Zimmerman)

    • One of the most commonly used tools to parse MFT and the USN Journal.

    • Example command to parse both:

    MFTECmd.exe -f <path to $Extend\$J> -m <path to $MFT> --csv <output-folder> --csvf usnjrnl.csv

    • Options: dedupe, VSS support, output as JSON or CSV.

  • PoorBillionaire USN-Journal-Parser (Python)

    • A script that reads the USN Journal and outputs records in different formats (CSV, TLN, JSON).

    • Parses fields like timestamp, file reference number, parent reference, reason flags (create, delete, write, rename).

  • Velociraptor

    • Provides an artifact Windows.Forensics.Usn to parse the USN Journal on endpoints.

    • Allows filtering by filename, MFT ID, parent ID or time bounds.

    • Also has a “carving” artifact if all you have is the raw $J file: Windows.Carving.USNFiles.

  • NTFSInfo (DFIR-ORC)

    • Tool that can walk the file system by parsing both MFT and USN.

    • Outputs CSV, includes FRN (File Reference Number) to correlate records between MFT and USN.

  • JP (TZWorks)

    • Parser for the USN Journal, including carved or partially corrupted $J.

hashtag
Forensic Investigation Workflow

  1. Collection

    • Acquire a forensic image of the volume (or VSS snapshot).

    • Extract $MFT and the USN Journal ($Extend\$UsnJrnl:$J) from the image. Tools like FTK Imager or raw copy can help.

    • Compute hashes for integrity.

  2. Parsing

    • Run MFTECmd on the MFT to dump metadata (file names, timestamps, ADS, etc.).

    • Run MFTECmd (or Velociraptor / other parsers) on $J (USN journal) to extract change records.

  3. Analysis

    • Correlate MFT records with USN entries using the MFT record number / file reference number.

    • Look at reason flags in USN records (create, delete, rename, data overwrite, etc.) to understand filesystem operations.

    • Build a timeline: when files were created, modified, renamed, or deleted.

  4. Anomaly Detection

    • Identify ghost or zombie entries: MFT records that were deleted but still show up in the USN journal.

    • Detect suspicious behavior: bulk file creation or deletion, renames, overwrites — may indicate malware or anti-forensic activity.

    • Use timestamp mismatches: compare USN timestamps vs MFT timestamps to spot tampering.

  5. Reporting

    • Document key events: file reference number, filename, operation type, timestamp, parent directory.

    • Provide a timeline of suspicious file system activity.

    • Recommend follow-up steps: e.g., carve deleted files, check alternate data streams, cross-correlate with other logs (event logs, registry).

PreviousMACB TimestampsNextFile Deletion and Recovery

Last updated