NTFS Journal Viewer (JV) is a portable tool that extracts and parses the NTFS change journal ($UsnJrnl) file. The change journal is a file that records when changes are made to files and directories and therefore can provide a wealth of information for the forensic investigator.

The extraction tool (ExtractUsnJrnl.exe) used in NTFS Journal Viewer was created by Joakim Schicht (https://github.com/jschicht). JV is able to parse hundreds of thousands of records within seconds and provides filtering and search functionality. The results can be exported to CSV file.

The contents of the $UsnJrnl file can help forensic investigators identify what activity has occurred to files of relevance to the investigation. The $UsnJrnl:$J contains useful information as detailed below:

• File/directory name
• File/directory attributes
• USN Reason
• Time of activity
• USN reference number
• MFT reference number
• MFT parent reference number
• Security ID
• Source info

You can read more and download this tool over here: http://www.orionforensics.com/w_en_page/