0x00 Preface

---

In the previous article 'Penetration Techniques - Time Attributes of NTFS Files in Windows', methods and details for modifying NTFS file time attributes, as well as forensic recommendations, were introduced.

This article will continue to explore another location in NTFS files that records file modification times—the USN Journal, similarly analyzing exploitation approaches and providing forensic recommendations.

0x01 Introduction

---

This article will cover the following topics:

  • Basic Concepts
  • Methods for Reading the USN Journal
  • Exploitation Approaches
  • Forensic Recommendations

0x02 Basic Concepts of USN Journal

---

Official Documentation:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb742450(v=technet.10)

USN Journal (Update Sequence Number Journal), also known as Change Journal, is used to record file modification information on NTFS volumes, improving file search efficiency

Each NTFS volume corresponds to a USN Journal, stored in the NTFS metafile $Extend\$UsnJrnl, meaning different NTFS volumes have distinct USN Journals

USN Journal records file and directory operations including creation, deletion, modification, renaming, and encryption/decryption. Each record follows this format:

typedef struct {
DWORD RecordLength;
WORD MajorVersion;
WORD MinorVersion;
DWORDLONG FileReferenceNumber;
DWORDLONG ParentFileReferenceNumber;
USN Usn;
LARGE_INTEGER TimeStamp;
DWORD Reason;
DWORD SourceInfo;
DWORD SecurityId;
DWORD FileAttributes;
WORD FileNameLength;
WORD FileNameOffset;
WCHAR FileName[1];
} USN_RECORD_V2, *PUSN_RECORD_V2;

Official documentation:

https://docs.microsoft.com/en-us/windows/desktop/api/winioctl/ns-winioctl-usn_record_v2

The total size of the USN Journal file is stored in the NTFS metafile $Extend\$UsnJrnl\$Max. If the record length of the USN Journal exceeds the total size, it will overwrite from the earliest records.

0x03 Method for reading USN Journal

---

1. Using the fsutil usn command

Official documentation:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc788042(v%3dws.10)

(1) View USN Journal information for drive C:

fsutil usn queryjournal c:

Including the following information:

  • Usn Journal ID
  • First Usn
  • Next Usn
  • Lowest Valid Usn
  • Max Usn
  • Maximum Size
  • Allocation Delta

(2) View all USN Journal on drive C

fsutil usn enumdata 1 0 1 c:

Including the following information:

  • File Ref#
  • ParentFile Ref#
  • Usn
  • SecurityId
  • Reason
  • Name

Output results are not detailed enough

2. Using open-source tools

(1) Export USN Journal

Download link:

https://github.com/jschicht/ExtractUsnJrnl

Parameters are as follows:

ExtractUsnJrnl /DevicePath:c: /OutputPath:c:\test /OutputName:UsnJrnl_vol1.bin

(2) Convert USN Journal to CSV format output

Download link:

https://github.com/jschicht/UsnJrnl2Csv

Parameters are as follows:

UsnJrnl2Csv /UsnJrnlFile:c:\test\UsnJrnl_vol1.bin /OutputPath:c:\test

Includes the following information:

  • Offset
  • FileName
  • USN
  • Timestamp
  • Reason
  • MFTReference
  • MFTReferenceSeqNo
  • MFTParentReference
  • MFTParentReferenceSeqNo
  • FileAttributes
  • MajorVersion
  • MinorVersion
  • SourceInfo
  • SecurityId

Output results are complete

3. C++ Implementation

I've written a simple sample code here, download link:

An open-source project

The code enumerates the USN Journal of drive C and outputs only filenames

0x04 Exploitation Approach

---

1. Clear All USN Journals

(1) Using fsutil

fsutil usn deletejournal /d c:

Note:

I did not succeed in deleting it in the test environment

(2) API

https://docs.microsoft.com/en-us/windows/desktop/api/winioctl/ns-winioctl-delete_usn_journal_data

Note:

I did not succeed in deleting it in the test environment

2. Clear single USN Journal

I have not yet found an available API interface

The only method is to directly modify NTFS files, but since nt6.x, Windows prohibits loading unsigned driver files

Here you can try using the paid version of WinHex to operate on NTFS files, modifying the content in $Extend\$UsnJrnl

You can also try to bypass driver protection

For reference on the content of $UsnJrnl:

http://forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf

Read the USN Journal according to the format, delete the specified USN Journal, and then write it to the disk

3. Brute force overwriting

First, check the total length of the disk's USN Journal file

Then generate USN Journal records through operations such as creation, deletion, modification, and renaming. When the total length is exceeded, the initial records will be overwritten until all USN Journals are covered

0x05 Forensic Recommendations

---

1. Read the USN Journal, list all records, and check for any suspicious records

This method is not completely reliable; as long as attackers can bypass driver protection, they can modify the USN Journal

2. Try other methods

For example, reading $MFT records from memory

https://github.com/jschicht/HexDump

https://github.com/jschicht/MftCarver

Joakim Schicht's GitHub has many forensic tools worth referencing:

https://github.com/jschicht/

0x06 Summary

---

This article introduces the utilization ideas of NTFS file's USN Journal and provides forensic recommendations.