NTFS Journal Viewer – Tool to Investigate NTFS Changes
NTFS Journal Viewer (JV) is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.
The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https://github.com/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.

The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation. The $UsnJrnl:$J contains useful information as detailed below:
- File/directory name
- File/directory attributes
- USN Reason
- Time of activity
- USN reference number
- MFT reference number
- MFT parent reference number
- Security ID
- Source info
You can read more and download this tool over here: http://www.orionforensics.com/w_en_page/