← Back to blog

How to extract $UsnJrnl:$J from a disk image (or a live system)

A practical guide to pulling the NTFS USN Journal out of a forensic image, a mounted volume, or a live Windows host — with FTK Imager, X-Ways, The Sleuth Kit, fsutil, and PowerShell.

4 min read

The hardest part of working with the USN Journal is often not parsing it — it's getting your hands on the file in the first place. $UsnJrnl:$J is an alternate data stream, not a regular file, so it doesn't show up in Explorer and won't survive a naive copy. This post walks through the realistic ways to extract it from each of the three places you'll meet it: a forensic disk image, a mounted volume, and a live machine.

What you're looking for

The journal lives at the path:

\$Extend\$UsnJrnl:$J

$Extend is a hidden NTFS metadata directory and $J is one of two alternate streams on the $UsnJrnl metadata file (the other is $Max, which only holds size metadata). Microsoft documents this layout in the NTFS internals reference and the USN_RECORD_V2 structure.

A real-world $J is typically 30 MB to several GB depending on how fsutil usn was configured.

From a forensic disk image (E01, dd, AFF4)

This is the most common case in DFIR.

FTK Imager (free, GUI)

  1. Open the image (File → Add Evidence Item).
  2. Drill into [root]/$Extend/$UsnJrnl.
  3. Right-click the $J data stream → Export Files.

FTK Imager treats alternate data streams as first-class entries — they appear as sibling rows next to the file. Make sure you pick the $J row specifically (not $Max).

X-Ways Forensics (commercial)

X-Ways exposes the same path. In the directory tree, expand Root directory → $Extend → $UsnJrnl, select the $J stream and Recover/Copy.

The Sleuth Kit (free, CLI, cross-platform)

This is what most Mac/Linux analysts reach for. The relevant tool is icat from TSK:

# Find the MFT entry for $UsnJrnl
fls -r -p image.dd | grep '\$UsnJrnl'
# Suppose it reports inode 81, and the $J stream is attribute 128-2:
icat image.dd 81-128-2 > UsnJrnl-J.bin

The <inode>-<type>-<id> triple is how TSK addresses alternate streams. The type/id you need is whichever attribute name ends in :$Jfls shows that in its long output.

Velociraptor / KAPE

For broad triage collection, Velociraptor's Windows.NTFS.MFT artefact pack and KAPE both know to pull the journal automatically. KAPE uses target files (!ALL or USNJournal); Velociraptor uses the parse_ntfs plugin.

From a mounted volume

If you have the image mounted (read-only, via mount -t ntfs-3g or via Arsenal Image Mounter on Windows), the path appears as a regular file but most tools refuse to read alternate streams transparently.

On Linux with ntfs-3g, you can read the stream directly:

sudo cat '/mnt/image/$Extend/$UsnJrnl:$J' > UsnJrnl-J.bin

Note that depending on the streams_interface mount option, :$J may appear as a separate path component instead — check ls -la /mnt/image/\$Extend/.

From a live Windows host

You need administrative privileges and an NTFS-aware reader, because Windows blocks ordinary access to metadata files.

PowerShell with raw volume read

Eric Zimmerman's tools include RawCopy.exe (or RawCopy64.exe), which bypasses the standard file API:

RawCopy.exe /FileNamePath:"C:\$Extend\$UsnJrnl:$J" /OutputPath:"D:\Out"

If you can't drop a binary, Powerforensics does the same thing in pure PowerShell:

Import-Module PowerForensics
Get-ForensicFileRecord -Path 'C:\$Extend\$UsnJrnl' |
  ForEach-Object { $_.GetContent() } |
  Set-Content -Path 'C:\Out\UsnJrnl-J.bin' -Encoding Byte

Built-in fsutil

fsutil usn is the supported control surface for the journal but is not an extraction tool — it can read, query and delete records, not stream the full $J blob. It is useful for verifying the journal is enabled and sized correctly before extraction:

fsutil usn queryjournal C:

If you see Status: 0x00000000 and a non-zero Maximum Size, the journal is active. If the status is 0x80000005 or similar, the journal is disabled and there is nothing to extract — see the fsutil usn reference for the lifecycle commands.

After extraction

Once you have the $J file, drop it on this site or feed it to your tool of choice. The bytes you carved are the exact input that parsers like usnrs, PoorBillionaire/USN-Journal-Parser, or Eric Zimmerman's MFTECmd expect.

If you also grab the $MFT (same $Extend-adjacent location, MFT entry 0), you'll be able to resolve full paths instead of just filenames — see the full-path resolution mechanism in usnrs and our own parser's $MFT input.

Common pitfalls

  • Copying with Explorer: drag-and-drop of $UsnJrnl will silently copy the default unnamed stream (empty) and not $J. Always use a forensic tool.
  • Journal disabled: Workgroup machines sometimes have the journal disabled. fsutil usn queryjournal is the cheapest check.
  • $J has sparse leading zeroes: the journal is a sparse stream — the first few hundred MB can be all zeroes before the first real record. usnrs, our parser and most others skip past them automatically. If you write your own parser, Skip::find_first_record in usnrs is the shortest reference implementation.
  • Stream wrapping: depending on volume activity, the journal ring buffer may have wrapped — older entries are gone. The smallest USN you find tells you how far back the volume's history reaches.