NTFS forensics glossary

A concise reference for the NTFS, USN journal, and Windows forensics terms that come up in this site's articles.

A working vocabulary for reading our blog posts and the wider DFIR literature. Definitions stay short; follow the linked posts for depth.

$Extend

The hidden NTFS metadata directory at the volume root. Contains the journal ($UsnJrnl), the reparse-point lookup ($Reparse), and a handful of others.

$FILE_NAME

An MFT attribute storing one of the file's names plus an internal copy of its timestamps. NTFS updates these less often than $STANDARD_INFORMATION, which is why the SI-vs-FN comparison detects timestomping.

$J

The data stream of $UsnJrnl that holds the actual journal records. The companion stream $Max only carries size metadata.

$LogFile

NTFS's transaction log, used for crash recovery. Holds before/after images of metadata writes for the last few thousand transactions. Useful for very-recent deleted-file recovery and for catching writes the journal missed.

$MFT

The Master File Table — the index of every file and directory on the volume. Each entry is 1024 bytes (typically) and holds attributes including $STANDARD_INFORMATION, one or more $FILE_NAME, and the data runs.

$STANDARD_INFORMATION

An MFT attribute storing the user-visible timestamps and basic file attributes. The values most tools and APIs read and write — including timestomping tools.

$UsnJrnl

The NTFS metadata file at \$Extend\$UsnJrnl that owns the journal streams.

Alternate Data Stream (ADS)

A second (or third, or N-th) named data stream on an NTFS file. $UsnJrnl:$J is one; the Zone.Identifier set by browsers on downloads is another. Filtering for StreamChange in the USN journal surfaces ADS activity.

BasicInfoChange

A USN reason flag emitted when $STANDARD_INFORMATION is updated. Bare BasicInfoChange | Close records — with no preceding write — are a strong timestomping signal.

Bodyfile

A text format consumed by mactime (The Sleuth Kit) for timeline output. MFTECmd, USN parsers, and others can emit bodyfile rows that merge into one timeline.

DataExtend / DataOverwrite

USN reason flags for the data stream growing or being overwritten. Mass DataOverwrite bursts are the canonical ransomware signal.

FILETIME

A Windows timestamp: 64-bit unsigned integer of 100-nanosecond ticks since 1601-01-01 UTC. See the FILETIME post for conversion recipes.

FileReferenceNumber

An MFT entry number combined with a sequence number, packed into a 64-bit value. Tracks a specific file across MFT reuse — same entry, different sequence, means the entry was recycled.

fsutil usn

The Microsoft-supported CLI for querying and managing the USN journal: enable/disable, query size, dump records. See the Microsoft Learn reference.

hreflang

HTML/HTTP signal that tells search engines which translation of a page to surface in which locale. Distinct from the lang attribute.

MITRE ATT&CK

The community framework that maps adversary behaviours. We reference techniques like T1486 Data Encrypted for Impact and T1074 Data Staged in the blog.

RenameOldName / RenameNewName

USN reason flags emitted as a pair on every rename — the "before" half names the old path, the "after" half names the new one. Both records share the same FileReferenceNumber.

Reparse point

An NTFS metadata structure that redirects a path elsewhere — junctions, symbolic links, mount points. Surfaced in the journal via ReparsePointChange.

Ring buffer

The fixed-size, wrap-around storage model of the USN journal: when the journal fills, the oldest records are overwritten. Default sizes vary from ~10 MB on clients to 1 GB+ on servers.

TSK

The Sleuth Kit — Brian Carrier's open-source forensic library and CLI tools (fls, icat, mmls…). The reference free toolset for low-level filesystem work.

USN

Update Sequence Number — the per-record offset into the journal. Each record's usn field is its byte position; this is also why the journal can be addressed and seeked by USN.

Volume Shadow Copy (VSS)

Windows's built-in snapshot mechanism. Snapshots can be mounted and parsed for older versions of files and metadata, including older states of the MFT.

WebAssembly

A portable binary instruction format that runs in browsers at near-native speed. USN Parser's WASM module is ~105 KB and parses 720k records in ~1.4s on a recent Macbook.