Kamis, 04 Januari 2018

Sponsored Links

Visualization of USN Journal entries when CCleaner runs - YouTube
src: i.ytimg.com

The USN Journal (Update Sequence Number Journal), or Change Journal, is a feature of NTFS which maintains a record of changes made to the volume. It is not to be confused with the journal used for the NTFS file system journaling.

When Windows 2000 was released, Microsoft created NTFS version 3.0, which included several new features and improvements over older versions of the file system. One of these was a new system management feature that is very useful for certain types of applications. Under Windows 2000, NTFS 3.0 partitions can be set to keep track of changes to files and directories on the volume, providing a record of when and what was done to the various objects. When enabled, the system records all changes made to the volume in the USN Journal, which is the name also used to describe the feature itself.

One journal is maintained for each NTFS volume and stored in the NTFS metafile named $Extend\$UsnJrnl. It begins as an empty file. Whenever a change is made to the volume, a record is added to the file. Each record is identified by a 64-bit Update Sequence Number or USN. (For this reason Change Journals are sometimes called USN Journals.) Each record in the Change Journal contains the USN, the name of the file, and information about what the change was.

The Change Journal describes the changes that took place using bit flags (e.g. USN_REASON_DATA_OVERWRITE), therefore it does not include all the data or details associated with the change. For this reason the Change Journal cannot be used to undo operations on files within NTFS.


Video USN Journal



Uses

The USN Journal is used by the File History feature introduced in Windows 8 to determine which files have changed since the last backup so that only files that have changed are added to the history.


Maps USN Journal



References


Hacking Exposed Computer Forensics Blog: Daily Blog #165: Solving ...
src: 4.bp.blogspot.com


External links

  • "Change Journals (Windows)". Microsoft Developers Network Library, Win32 and COM Development, Volume Management. Microsoft Corporation. Retrieved 10 June 2009. 
  • "FSUTIL: USN". Windows XP Professional Product Documentation. Microsoft Corporation. Retrieved 10 June 2009. 
  • "FSUTIL: USN". Microsoft Technet Library, Windows Server Tech Center. Microsoft Corporation. 28 September 2007. Retrieved 10 June 2009. 
  • "NTFS Self-Healing". Microsoft Technet Library, Windows Server Tech Center. Microsoft Corporation. 21 January 2008. Retrieved 10 June 2009. 

Source of the article : Wikipedia

Comments
0 Comments