Monitoring USN journal for changes

diyinfosec
Jan 27, 2021

--

This article explains how the USN Journal can be used to monitor file system changes by taking the example of encrypting a plaintext file.

Step 1 — Create a plain-text file:

echo “Encrypt This!” > C:\Users\test\Documents\file.txt

Step 2 — Query the USN Journal and note down the “Next Usn” value.

This is done so that we can later query the journal from this point instead of having to dump the entire journal.

fsutil usn queryjournal C:

Getting the Next Usn value

Step 3 — Encrypt the file using Windows built-in tool cipher.exe

cipher /e C:\Users\test\Documents\file.txt

Encrypting a file using cipher

Step 4 — Get the list of changes to the USN journal in CSV format:

fsutil usn readjournal c: startusn={next_usn_value} csv > usn_output.csv

These entries in the usn_output.csv can be filtered down to identify volume level changes for the duration of observation.

--

--