Closed CaledoniaProject closed 2 years ago
Hi CaledoniaProject,
The USN journal is "not" what is commonly described as the "transaction log". This is a journal of changes made to the MFT logged into this journal. You can query it's size and configuration with https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn.
dfir-orc USNInfo dumps the entire journal.
More information can be found in http://www.ntfs.com/transaction.htm about the transaction journal. (currently, there has been no strong justification for us to add the parsing of the transaction log in dfir-orc)
HTH, Jean
Thanks, this is very helpful to me.
I've exported the transaction logs with:
But the earliest logs are from two days ago. I'm wondering if this limitation is from dfir-orc or NTFS itself?