Monitoring USN journal for changes
This article explains how the USN Journal can be used to monitor file system changes by taking the example of encrypting a plaintext file.
Step 1 — Create a plain-text file:
echo “Encrypt This!” > C:\Users\test\Documents\file.txt
Step 2 — Query the USN Journal and note down the “Next Usn” value.
This is done so that we can later query the journal from this point instead of having to dump the entire journal.
fsutil usn queryjournal C:
Step 3 — Encrypt the file using Windows built-in tool cipher.exe
cipher /e C:\Users\test\Documents\file.txt
Step 4 — Get the list of changes to the USN journal in CSV format:
fsutil usn readjournal c: startusn={next_usn_value} csv > usn_output.csv
These entries in the usn_output.csv can be filtered down to identify volume level changes for the duration of observation.