Point it at an E01. Get a fully path-resolved USN journal timeline — no UNKNOWNs, no pre-extraction, no Windows.
usnjrnl-forensic opens a forensic disk image directly, pulls the $UsnJrnl:$J named stream straight off the NTFS volume, correlates it with $MFT, and reconstructs every file path through the CyberCX "Rewind" algorithm — including paths that other tools render as UNKNOWN\UNKNOWN because Windows reused the MFT entry.
cargo run --release --features image -- --image disk.E01 --jsonl out.jsonlOne line of out.jsonl:
{"timestamp":"2018-04-25T04:29:21.350215100Z","usn":1428395768,"entry_number":6226,"sequence_number":6,"parent_entry_number":116012,"parent_sequence_number":4,"parent_path":".\\Windows\\Temp","full_path":".\\Windows\\Temp\\GUR865E.exe","filename":"GUR865E.exe","extension":"exe","file_attributes":"ARCHIVE","reasons":"FILE_CREATE","source_info":0,"security_id":0,"major_version":2}(A real dropper from the DEF CON DFIR CTF image — GUR865E.exe is created in \Windows\Temp, then deleted seconds later.) The full_path is reconstructed from $MFT even if entry 6226 has since been reassigned to a different file. Beyond the live $UsnJrnl:$J, the timeline also merges records carved from unallocated space and ghost records recovered from $LogFile that the journal has already cycled past — so deletion that wiped the journal entry still leaves a trace.
cargo install usnjrnl-forensic --features imageThis builds the usnjrnl-forensic binary with E01/raw disk image support. Runs on Windows, macOS, and Linux. No runtime dependencies.
Without image support (pre-extracted artifacts only):
cargo install usnjrnl-forensicgit clone https://github.com/SecurityRonin/usnjrnl-forensic
cd usnjrnl-forensic
cargo build --release --features imageusnjrnl-forensic opens E01 and raw (dd) forensic images directly, extracts four NTFS artifacts ($UsnJrnl:$J, $MFT, $LogFile, $MFTMirr), reconstructs full file paths through MFT entry reuse, carves deleted records from unallocated space, and runs 12 forensic triage questions against the results.
$ usnjrnl-forensic --image evidence.E01 --carve-unallocated --report triage.html
[*] Opening disk image: evidence.E01
[*] Detected format: Ewf
[+] Extracted $MFT, $MFTMirr, $LogFile, $UsnJrnl:$J
[+] 847,293 USN records parsed
[+] 112,448 MFT entries parsed
[+] 5,378 USN records recovered from $LogFile
[+] 771 ghost records found in $LogFile (not present in $UsnJrnl)
[+] Carved 1,247 USN records + 89 MFT entries from unallocated space
[+] All paths fully resolved (0 UNKNOWN)
[+] Triage report written to triage.html
Image extraction goes through the sibling ntfs-forensic crate — its sole NTFS-layer dependency. usnjrnl-forensic reads the USN change journal as the named $DATA stream $UsnJrnl:$J directly off the volume:
fs.read_named_stream(r"\$Extend\$UsnJrnl", "$J")?;The previous mft and ntfs third-party crates have been dropped entirely. NTFS volume parsing, $ATTRIBUTE_LIST traversal, and named-stream extraction now come from a single self-owned reader shared across the SecurityRonin forensic tooling. See CHANGELOG.md for the migration details.
Point at an E01, get a self-contained HTML report:
usnjrnl-forensic --image evidence.E01 --carve-unallocated --report triage.htmlOpen it in any browser. The Story tab answers 12 IR questions; the Explore tab is a full timeline workbench with search, reason-flag filters, source pills (allocated / carved / ghost), and an activity sparkline.
usnjrnl-forensic --image evidence.E01 --jsonl out.jsonl
usnjrnl-forensic --image evidence.E01 --csv timeline.csv
usnjrnl-forensic --image evidence.E01 --carve-unallocated --sqlite analysis.dbKeep extracted artifacts for later use, and work with raw (dd) images:
usnjrnl-forensic -i evidence.E01 --output-dir ./extracted --sqlite analysis.db
usnjrnl-forensic --image disk.raw --csv output.csvParse $UsnJrnl:$J with MFT path resolution:
usnjrnl-forensic -j $J -m $MFT --csv output.csvFull QuadLink analysis — correlate all four artifacts:
usnjrnl-forensic -j $J -m $MFT --mftmirr $MFTMirr --logfile $LogFile --sqlite analysis.dbDetect timestomping:
usnjrnl-forensic -j $J -m $MFT --detect-timestompingAll output formats at once:
usnjrnl-forensic -j $J -m $MFT --csv out.csv --jsonl out.jsonl --sqlite out.db --body out.body --tln out.tln --xml out.xmlJournal-only mode (no MFT) produces partial paths (parent MFT entry numbers only) — useful when $MFT is unavailable:
usnjrnl-forensic -j $J --csv output.csvEvery USN journal parser on the market has blind spots. MFTECmd produces UNKNOWN parent paths when MFT entries get reused. ntfs-linker requires C++ compilation and has no maintained builds. NTFS Log Tracker runs only on Windows. None of them open an E01 directly.
usnjrnl-forensic closes the gaps. It implements the CyberCX Rewind algorithm for 100% path resolution, four-artifact QuadLink correlation (extending David Cowen's TriForce with $MFTMirr integrity verification), unallocated-space carving, and anti-forensics detection — all from a raw disk image, on any platform.
Record-level comparison against MFTECmd, usn.py, dfir_ntfs, usnrs, usnjrnl_rewind, and Velociraptor across three publicly available forensic disk images (757,491 total records). All tools agree on record counts and USN offsets. For path resolution:
| Tool | Paths resolved correctly |
|---|---|
| usnjrnl-forensic | 100% |
| usnjrnl_rewind | 94.0% |
| MFTECmd | 83.7% |
| dfir_ntfs | 62.3% |
| usnrs | 54.6% |
usnjrnl_rewind's 6% incorrect paths are caused by retroactive rename application and ADS name inclusion — verified by USN chronology against the journal's own rename events. Full methodology: docs/VALIDATION.md.
On an Apple M4, the tool produces a complete HTML triage report from a 15 GiB E01 image in 4 seconds — correctly identifying malware delivery, System32 deployment, Prefetch execution proof, and data staging that took Szechuan Sauce CTF participants hours to reconstruct across 6-10 tools. Full assessment: docs/TRIAGE_PERFORMANCE.md.
Standard tools resolve parent directory references against the current MFT state. When Windows reuses an MFT entry number, those references break, scattering UNKNOWN parent paths through your timeline. The Rewind algorithm, first described by CyberCX, processes journal entries in reverse chronological order, tracking every (entry, sequence) → (filename, parent) mapping and rebuilding the directory tree as it existed at each point in time.
Before Rewind: UNKNOWN\UNKNOWN\malware.exe
After Rewind: .\Users\admin\AppData\Local\Temp\malware.exe
usnjrnl-forensic correlates four NTFS artifacts — more than any other tool:
$UsnJrnl:$Jrecords file creates, deletes, renames, and data changes$MFTstores the current file system state with timestamps$LogFilecontains transaction logs that embed USN records$MFTMirrmirrors the first four critical MFT entries for integrity verification
This builds on the TriForce technique (David Cowen, 2013), which pioneered three-artifact correlation of $MFT + $LogFile + $UsnJrnl, and adds $MFTMirr byte-level integrity verification to detect tampering with critical system metadata — a consistency check no other tool performs.
The $LogFile retains copies of recent USN records in its RCRD pages. usnjrnl-forensic extracts these, cross-references them against the journal, and flags records that exist only in $LogFile as ghost records — a signature of either normal journal wrapping or intentional fsutil usn deletejournal clearing.
The --carve-unallocated flag scans the entire NTFS partition for USN records and MFT directory entries that survived in unallocated clusters after their files were deleted and entries reused. It validates each candidate (record structure, timestamp sanity, filename encoding, attribute chains), deduplicates against already-parsed allocated records, merges survivors into the timeline, and seeds the Rewind engine with carved MFT entries so carved records get full path resolution. Requires --image.
Built-in detectors flag four categories of suspicious activity: secure deletion (SDelete / CCleaner rename patterns), journal clearing ($LogFile gaps and ghost records), ransomware (mass rename/delete with known extensions in short windows), and timestomping (cross-validating $STANDARD_INFORMATION against $FILE_NAME and USN FILE_CREATE events).
Define detection rules matching on filenames, extensions, reason flags, or combinations:
use usnjrnl_forensic::rules::{Rule, RuleSet, Severity, FilenameMatch};
use usnjrnl_forensic::usn::UsnReason;
let mut rules = RuleSet::with_builtins(); // 5 pre-loaded forensic rules
rules.add_rule(Rule {
name: "lateral_movement_tools".into(),
description: "Known lateral movement binaries".into(),
severity: Severity::Critical,
filename_match: Some(FilenameMatch::Regex(
r"(?i)(psexec|wmiexec|smbexec|atexec)".into()
)),
exclude_pattern: None,
any_reasons: Some(UsnReason::FILE_CREATE),
all_reasons: None,
});Built-in rules cover offensive tools (mimikatz, psexec, procdump, lazagne, rubeus, sharphound), ransomware extensions, SDelete patterns, script execution, and credential access (ntds.dit, SAM, SECURITY, SYSTEM).
ReFS volumes use 128-bit file reference numbers. usnjrnl-forensic preserves the full identifiers, auto-detects ReFS from V3 record patterns, and reconstructs paths using journal-only rewind (ReFS has no traditional MFT to seed from).
The monitor module provides a JournalSource trait for polling live USN journals on Windows, tracking the last-read USN position, detecting journal wraps, and emitting structured events for each new record.
| Format | Flag | Description |
|---|---|---|
| CSV | --csv |
MFTECmd-compatible columns |
| JSON Lines | --jsonl |
One JSON object per line |
| SQLite | --sqlite |
Indexed database with USNJRNL_FullPaths and MFT tables |
| Sleuthkit body | --body |
Pipe-delimited, feeds into mactime and log2timeline |
| TLN | --tln |
5-field pipe-delimited timeline format |
| XML | --xml |
Structured XML with full record fields |
| HTML Report | --report |
Self-contained triage report with Story + Explore tabs |
[dependencies]
usnjrnl-forensic = "0.6"Available modules: usn, mft, rewind, logfile, mftmirr, correlation, analysis, triage, rules, refs, monitor, image, output.
image: E01/raw image opening, NTFS partition discovery, artifact extraction viantfs-forensic, unallocated scanning (optionalimagefeature)usn: Binary parsing of USN_RECORD_V2, V3, V4 with streaming, parallel, and carving modesmft:$MFTentry extraction with SI/FN timestamp pairs and MFT entry carvingrewind: CyberCX Rewind algorithm for path reconstructionlogfile:$LogFileRCRD page analysis and embedded USN extractionmftmirr:$MFTMirrintegrity verificationcorrelation: QuadLink engine linking all four artifactsanalysis: Anti-forensics detection (secure delete, ransomware, timestomping, journal clearing)triage: Rapid IR triage engine with 12 built-in questions and source-aware filteringrules: Pattern-matching rule engine with glob, regex, and reason-flag conditionsrefs: ReFS 128-bit file ID handlingmonitor: Real-time journal polling abstractionoutput: CSV, JSONL, SQLite, Sleuthkit body, TLN, XML, and HTML triage report exporters
Strict TDD (separate RED and GREEN commits), cargo fmt/clippy/deny gates, and gitsign commit signing. See CONTRIBUTING.md. To report a vulnerability, see SECURITY.md.
- CyberCX: Rewriting the USN Journal (Rewind algorithm)
- NTFS TriForce (David Cowen,
$MFT+$LogFile+$UsnJrnlcorrelation) - ntfs-linker (Stroz Friedberg,
$LogFileUSN extraction) - MFTECmd (Eric Zimmerman, MFT/USN parsing)
- dfir_ntfs (Maxim Suhanov, Python NTFS parser)
- Microsoft USN_RECORD_V2 · V3 · V4
- Forensic Analysis of ReFS Journaling (DFRWS APAC 2021)
Albert Hui (@h4x0r) of @SecurityRonin — digital forensics practitioner building open-source DFIR tools that close the gaps left by commercial software.
Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd