usnjrnl

$ target-query <path/to/target> -f usnjrnl

Details

Module	dissect.target.plugins.filesystem.ntfs.usnjrnl.UsnjrnlPlugin
Output	records

Module documentation

NFTS UsnJrnl plugin.

Function documentation

Return the UsnJrnl entries of all NTFS filesystems.

The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about filesystem activities. Each volume has its own UsnJrnl.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the UsnJrnl properties added to it through a “fake” NtfsFilesystem), the paths returned in the UsnJrnl records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References:

• https://en.wikipedia.org/wiki/USN_Journal

• https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e