If you spend any time in Windows forensics, the USN reason bitmask is going to become muscle memory. It is a 32-bit field that NTFS sets on every journal record to summarise what just changed about a file. The bits don't tell you everything — they're additive, not exclusive — but read together they give you a remarkably precise picture of file lifecycle.
The bits
| Flag | Hex | What it means in practice |
|---|---|---|
DataOverwrite | 0x00000001 | A region of the main data stream was overwritten |
DataExtend | 0x00000002 | The main data stream grew |
DataTruncation | 0x00000004 | The main data stream shrank |
NamedDataOverwrite / Extend / Truncation | 0x10 / 0x20 / 0x40 | Same, but on an alternate data stream |
FileCreate | 0x00000100 | A new file or directory was created |
FileDelete | 0x00000200 | The file was deleted from the namespace |
EaChange | 0x00000400 | Extended attributes changed |
SecurityChange | 0x00000800 | ACLs/owner changed |
RenameOldName | 0x00001000 | The "before" half of a rename |
RenameNewName | 0x00002000 | The "after" half of a rename |
IndexableChange | 0x00004000 | Indexed flag toggled |
BasicInfoChange | 0x00008000 | Timestamps, attributes, or compression changed |
HardLinkChange | 0x00010000 | A hard link was added or removed |
CompressionChange | 0x00020000 | NTFS compression was toggled |
EncryptionChange | 0x00040000 | EFS state changed |
ObjectIdChange | 0x00080000 | Object ID set or cleared |
ReparsePointChange | 0x00100000 | Reparse point added/changed/removed |
StreamChange | 0x00200000 | An alternate data stream was added/renamed/deleted |
Close | 0x80000000 | The handle that produced the change has been closed |
Close is special: NTFS coalesces successive operations under the same handle, and only emits a final record with Close set once the handle is gone. If you see a record without Close, you're looking at the system flushing intermediate state — useful, but the "Close" record is the authoritative summary.
Patterns you'll see in the wild
A handful of patterns occur so often that you should recognise them instantly:
- New file written by an app.
FileCreate | DataExtend→DataExtend | Close→BasicInfoChange | Close. The last one is the file getting its mtime stamped on close. - Rename across directories. Two records on the same
FileReferenceNumber:RenameOldName | ClosethenRenameNewName | Close. The parent reference differs between the two — that's how you reconstruct the move. - Atomic save-by-rename. Many editors write to a temp file, then rename it onto the target. You see
FileCreateon the temp,FileDelete | Closeon the original, andRenameNewName | Closeon the temp. - Ransomware encrypt-then-rename.
DataOverwriterecords covering megabytes, followed byRenameNewName | Closewith the new extension. TheDataOverwritecount and timing are often where you first notice a sample on disk. - Antivirus quarantine.
FileDelete | Closeimmediately following a recentFileCreate, all under the same MFT entry. The journal gives you the smoking gun that AV touched the file even after the file itself is gone.
What the bits won't tell you
The reason bitmask is about the file, not about the actor. There is no user, no process ID, no command line. Combine the journal with Security.evtx (4663 object access) or with Microsoft-Windows-Sysmon/Operational events to attach an actor to each operation. The USN gives you the when and what; other logs give you the who.
A practical reading recipe
When you open a parsed journal:
- Filter for
FileCreateto see what is genuinely new in the time window. - Look for
RenameNewNameto catch movement and "save-as" patterns. - Plot
DataExtendcount over time — bulk writes (backups, encryption, exfil staging) jump out. - Always read records with
Closeset first; treat intermediates as supporting evidence.
The web app on this site lets you filter by any combination of reasons, which makes step 1–3 a one-click exercise.