# The Journal ($USNJrnl) - The Change Log

As a core part of its journaling capability, NTFS utilizes the `$UsnJrnl` metafile. This file is typically located in a hidden system directory, often `C:\$Extend` (as noted previously, usually inaccessible via standard Explorer). The `$UsnJrnl` functions as a detailed **logbook of changes** made to files and directories across the volume. It tracks a wide array of activities, providing a chronological record of filesystem events, including:

* File and directory creation (`FILE_CREATE`).
* File and directory deletion (`FILE_DELETE`).
* File and directory renaming (`RENAME_OLD_NAME`, `RENAME_NEW_NAME`).
* Changes to file data content (e.g., overwriting data `DATA_OVERWRITE`, extending file size `DATA_EXTEND`, shrinking file size `DATA_TRUNCATION`).
* Modifications to file attributes or security settings (`BASIC_INFO_CHANGE`).
* Changes involving Alternate Data Streams (`STREAM_CHANGE`).

Interestingly, the main `$UsnJrnl` file itself might appear empty or small if viewed directly. The crucial log data resides within two *Alternate Data Streams (ADS)* associated with this metafile:

* **`$Max`:** Contains metadata *about* the journal, such as its unique ID, maximum size limit, and allocation granularity.
* **`$J`:** This stream contains the actual sequence of **USN Records** – the individual log entries detailing filesystem changes.

*USN Records (Update Sequence Number Records):* These are the fundamental entries within the `$J` stream. Each record documents a specific change event and typically includes:

* An Update Sequence Number (a monotonically increasing number identifying the record).
* The File Reference Number (FRN) of the file or directory affected.
* The FRN of the parent directory.
* A USN Reason Code (a flag indicating the type(s) of change, like `FILE_CREATE`, `FILE_DELETE`, `DATA_OVERWRITE`, `BASIC_INFO_CHANGE`, etc.).
* Source Information (indicating if the change was user data, OS data management, etc.).
* Security ID (SID) of the user/process making the change (availability may vary).
* File Attributes at the time of the change.
* The filename.
* A precise timestamp for the event.

Utilities like Windows' built-in `fsutil usn readjournal c:` or specialized forensic tools (like MFTECmd, JournalTrace, Echo Journal Viewer) are necessary to parse the binary `$J` stream and interpret these USN records, providing a powerful timeline of file system activity, even for deleted items.