..parses the $UsnJrnl file or NTFS change journal.The UsnJrnl is responsible for keeping track of file system operations such as file creation, deletion, and truncation. During an investigation I highly recommend inspecting the $UsnJrnl as it provides extremely detailed context about what has transpired on the file system. For example, this is especially helpful in providing details about a deleted and otherwise unrecoverable file.
↧