{"id":796,"date":"2023-11-17T07:19:08","date_gmt":"2023-11-17T07:19:08","guid":{"rendered":"https:\/\/e5hforensics.com\/?page_id=796"},"modified":"2023-11-19T18:22:15","modified_gmt":"2023-11-19T18:22:15","slug":"ntfs-journal-viewer","status":"publish","type":"page","link":"https:\/\/e5hforensics.com\/index.php\/downloads\/software\/ntfs-journal-viewer\/","title":{"rendered":"NTFS Journal Viewer"},"content":{"rendered":"\n<h2 class=\"wp-block-heading has-zeever-secondary-color has-text-color\">NTFS Journal Viewer<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"995\" height=\"516\" src=\"https:\/\/e5hforensics.com\/wp-content\/uploads\/2023\/11\/NTFS-Journal-Viewer.png\" alt=\"NTFS Journal Viewer\" class=\"wp-image-791\" srcset=\"\/wp-content\/uploads\/2023\/11\/NTFS-Journal-Viewer.png 995w, \/wp-content\/uploads\/2023\/11\/NTFS-Journal-Viewer-300x156.png 300w, \/wp-content\/uploads\/2023\/11\/NTFS-Journal-Viewer-768x398.png 768w\" sizes=\"(max-width: 995px) 100vw, 995px\" \/><\/figure>\n\n\n\n\n\n<p>NTFS Journal Viewer  is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.<\/p>\n\n\n\n<p>The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (<a href=\"https:\/\/github.com\/jschicht\">https:\/\/github.com\/jschicht<\/a>). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.<\/p>\n\n\n\n<p><strong>$UsnJrnl<\/strong><br>The NTFS change journal ($UsnJrnl) is an operating system file that records when changes are made to files and directories. The change journal is located at $Extend\\$UsnJrnl. The journal contains two alternate data streams as detailed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$UsnJrnl:$J \u2013 Contains the actual journal entries<\/li>\n\n\n\n<li>$UsnJrnl:$MAX \u2013 contains metadata about the $UsnJrnl<\/li>\n<\/ul>\n\n\n\n<p><br>The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation.<\/p>\n\n\n\n<p>The $UsnJrnl:$J contains useful information as detailed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File\/directory name<\/li>\n\n\n\n<li>File\/directory attributes<\/li>\n\n\n\n<li>USN Reason<\/li>\n\n\n\n<li>Time of activity<\/li>\n\n\n\n<li>USN reference number<\/li>\n\n\n\n<li>MFT reference number<\/li>\n\n\n\n<li>MFT parent reference number<\/li>\n\n\n\n<li>Security ID<\/li>\n\n\n\n<li>Source info<\/li>\n<\/ul>\n\n\n\n<p><strong>License<\/strong><\/p>\n\n\n\n<p>This program is released as freeware. You are allowed to freely distribute this program via any method, as long as you don\u2019t charge anything for this. If you distribute this program, you must include all files in the distribution package, without any modification!<\/p>\n\n\n\n<p>Icons by&nbsp;<a href=\"http:\/\/www.everaldo.com\/\">Everaldo Coelho<\/a>&nbsp;from the Crystal project are used; these are released under the&nbsp;<a href=\"http:\/\/www.gnu.org\/licenses\/lgpl.html\">LGPL license<\/a>.<\/p>\n\n\n\n<p><strong>Disclaimer<\/strong><\/p>\n\n\n\n<p>The software is provided \u201cAS IS\u201d without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.<\/p>\n\n\n\n\n<a class=\"guten-button guten-button-sm\" href=\"https:\/\/e5hforensics.com\/wp-content\/uploads\/2023\/11\/NTFS-Journal-Viewer.zip\"><span>Download<\/span><\/a>","protected":false},"excerpt":{"rendered":"<p>NTFS Journal Viewer NTFS Journal Viewer is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator. The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https:\/\/github.com\/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file. $UsnJrnlThe NTFS change journal ($UsnJrnl) is an operating system file that<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":208,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-796","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/comments?post=796"}],"version-history":[{"count":9,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/796\/revisions"}],"predecessor-version":[{"id":823,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/796\/revisions\/823"}],"up":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/208"}],"wp:attachment":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/media?parent=796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}