# Limitations * **Journal Size/Wrapping:** The USN Journal has a maximum size limit (configurable via `fsutil`, but rarely changed by users). Once this limit is reached, the oldest entries are overwritten by new ones (it "wraps around"). The time span covered by the Journal depends heavily on disk activity levels and the configured size. On very active systems, it might only cover hours or days; on less active systems, it could potentially span weeks or months. * **Journal Clearing:** The Journal *can* be deliberately deleted using `fsutil usn deletejournal /D C:` (requires admin privileges). This action is **highly suspicious** and itself detectable via: * **Event Logs:** Generates Event ID 3079 in the Application log. * **Journal Metadata:** Tools parsing the Journal (like JournalTrace showing "Oldest Entry" or analyzing `$J`/`$MAX` modification times via FTK Imager/MFTECmd) will show a very recent creation/modification time, indicating it was recently wiped and recreated. * **FAT32/exFAT:** These file systems **do not have a USN Journal**. Journal analysis techniques are completely inapplicable to volumes formatted with FAT32 or exFAT. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screensharing-general-knowledge/seventh-section-manual-ss-techniques/journal-analysis/limitations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.