Blog
Articles on NTFS forensics, USN journal analysis, and incident response.
Detecting data exfiltration and USB copying with the USN journal
2026-05-15
Mass file copies, USB drops, and staging directories all leave a recognisable shape in $UsnJrnl:$J. The patterns to filter for, with worked examples.
Detecting ransomware activity in the USN journal
2026-05-15
Even when the binary is gone, ransomware leaves a very distinctive fingerprint in $UsnJrnl:$J. A walkthrough of the patterns to look for, with the matching reason-code combinations.
Spotting timestomping and anti-forensics in the USN journal
2026-05-15
Attackers who edit MFT timestamps can't hide from the change journal. How $STANDARD_INFORMATION vs $FILE_NAME mismatches and unexpected BasicInfoChange records expose anti-forensic activity.
How to extract $UsnJrnl:$J from a disk image (or a live system)
2026-05-15
A practical guide to pulling the NTFS USN Journal out of a forensic image, a mounted volume, or a live Windows host — with FTK Imager, X-Ways, The Sleuth Kit, fsutil, and PowerShell.
Reconstructing a user activity timeline from the USN journal
2026-05-15
From three minutes of $UsnJrnl records you can usually reconstruct what a user was doing — Office, browser, downloads, code. How to read the journal as a behaviour log.
Recovering evidence of deleted files with the USN journal
2026-05-15
When a file has been deleted, gone from the recycle bin, and the MFT entry has been recycled — the USN journal often still has its name, parent and timeline. A guide to extracting that evidence.
USN journal vs $MFT vs $LogFile: which NTFS artefact for which question?
2026-05-15
A side-by-side reference for the three NTFS metadata artefacts every Windows forensic investigation eventually touches — what each one records, what it doesn't, and when to reach for which.
Parsing the USN Journal in the Browser with Rust + WebAssembly
2026-05-14
How we ship a full NTFS USN Journal parser to your browser as 105 KB of WebAssembly — and why "parse it client-side" is the only acceptable answer for forensic artefacts.
Windows FILETIME explained — converting NTFS timestamps to something readable
2026-05-13
FILETIME is the Windows timestamp format you'll meet in $MFT, $UsnJrnl, the registry, $Recycle.Bin and almost every Windows artefact. A short, complete reference: what it is, how to convert it, and the gotchas.
USN Reason Codes — Reading Between the Bits
2026-05-12
A field-by-field walkthrough of the USN_RECORD reason bitmask and what each combination tells you about a file's lifecycle on disk.
Understanding the NTFS USN Journal ($UsnJrnl:$J)
2026-05-10
A practical introduction to the NTFS Update Sequence Number Journal — what it is, how it's structured on disk, and why it's so valuable in Windows forensics.