If you parse NTFS artefacts often, you are juggling several tools. This page sorts out where USN Parser fits and which tool to reach for first.
At a glance
| USN Parser | MFTECmd | OSForensics | Velociraptor | |
|---|---|---|---|---|
| Cost | Free, OSS | Free | Commercial | Free, OSS |
| Runs in | Browser | Windows CLI | Windows desktop | Server + agent |
Parses $J | ✓ | ✓ (via MFTECmd -j) | ✓ | ✓ |
Parses $MFT | Path resolution only | ✓ Full parser | ✓ | ✓ |
Parses $LogFile | ✗ | ✗ | ✓ | Limited |
| Full path resolution | ✓ (with $MFT) | ✓ | ✓ | ✓ |
| Filter by reason / time | Built-in UI | Post-process the CSV | Built-in UI | VQL queries |
| Timeline visualisation | Built-in | External (Excel, Timesketch) | Built-in | External |
| Triage collection | ✗ | ✗ | ✓ | ✓ |
| Data stays local | ✓ | ✓ | ✓ | Depends on deployment |
| Cross-platform | ✓ | Windows (Mac via Wine) | Windows | Cross |
When to reach for which
USN Parser — quick analysis on any laptop
You have a $J in hand and need to read it now, without installing anything. Drop it on the page, filter records, export CSV. No Windows VM, no admin rights required, no upload step that you have to explain to a client.
The honest scope: this is a journal viewer, not a forensics suite. If you only have to answer "what changed on this volume and when", it is the fastest path. For everything else, see below.
MFTECmd — the rigorous CLI
Eric Zimmerman's MFTECmd is the reference parser for $MFT, $J, $LogFile, $Boot, and $SDS. If your output has to feed a Timesketch / SOF-ELK / Plaso pipeline, MFTECmd's CSV output is what you want.
We use MFTECmd ourselves when we need bodyfile output for mactime, or when we want to cross-validate USN Parser's output on a tricky journal. The two tools agree on every well-formed USN_RECORD_V2 we have tested.
OSForensics — the commercial all-in-one
OSForensics gives you a polished GUI around $J, $MFT, browser histories, registry, and email parsing. If your team is already on PassMark's stack, the integrated workflow is hard to beat.
The trade-offs are licensing cost, Windows-only, and the slower turnaround for one-off analyses where you do not need the full suite.
Velociraptor — production triage at scale
Velociraptor is the right answer when you need to pull journals from dozens or hundreds of endpoints and query them with VQL. Its Windows.NTFS.MFT artefact pulls $MFT and the USN journal, and its parse_ntfs plugin matches our parser's record format.
For a single host with a single $J, Velociraptor is overkill. For an enterprise IR where you cannot pre-position a tool on every box, it is the only realistic option.
The honest summary
We use all four of these on real engagements. USN Parser is what we built because none of the others fit the "browser, no install, no upload, just parse this $J" use case. It does not try to replace MFTECmd, OSForensics, or Velociraptor — and they do not try to be it.
Want to validate that for yourself? Drop a sample $J on the home page and parse the same file with MFTECmd -f UsnJrnl-J --json out.json. Compare the record counts and timestamps; they will match.