# The USN Journal ( $UsnJrnl )

The *Update Sequence Number (USN) Journal* is an integral feature of the NTFS file system. It functions as a chronological log that meticulously records changes made to files and directories on the volume it resides on.

* **Location & Structure:** The Journal data itself is stored within a specific Alternate Data Stream named `$J`, which is part of the hidden system metafile `$Extend\$UsnJrnl` located at the root of the NTFS volume (e.g., `C:\$Extend\$UsnJrnl`). Another stream, `$Max`, stores metadata about the journal itself.
* **Purpose:** Its primary system function is to allow applications (like indexing services, backup software, or replication engines) to efficiently track changes without needing to scan the entire volume. Forensically, it provides a detailed history of file operations.
* **Logged Information:** Each entry (USN Record) in the `$J` stream typically logs:
  * A precise **Timestamp** of the event.
  * The **Filename** affected.
  * The **File Reference Number (FRN)** and the Parent FRN (linking the file to its directory and MFT record).
  * One or more **Reason Codes**, indicating the type(s) of change(s) that occurred (e.g., `FILE_CREATE`, `FILE_DELETE`, `RENAME_OLD_NAME`, `RENAME_NEW_NAME`, `DATA_OVERWRITE`, `BASIC_INFO_CHANGE`, `STREAM_CHANGE`, `CLOSE`). Understanding these codes is key to interpretation.
  * File attributes at the time of the event.
  * Source information (distinguishing user data changes from OS data management).
* **Persistence:** Crucially, the Journal often retains records for files **even after they have been deleted** from the file system (until the Journal wraps around or is cleared). This makes it invaluable for proving the prior existence and deletion of files.