NTFS Data Structures ($LogFile File, $UsrJrnl File)

The $LogFile is in MFT entry 2 and is used as the NTFS journal. It has the standard file attributes and stores the log data in the $DATA attribute. Unfortunately, the exact data structure details are not known. We will take a peak at the contents, though, to get a rough idea about what is in there.

The log is organized into 4,096 byte pages. The first two are for the restart area, and they have the signature "RSTR" in their first four pages of each page. Many of the other values in this data structure are zero, and the only string is "NTFS" in Unicode. After the second restart data structure at byte offset 8192 are the records, and each of them starts with the signature "RCRD".

The change journal falls into the application category and records when changes are made to files. The changes are recorded in the $DATA attribute named $J of the \$Extend\$UsrJrnl file, which is not located in a reserved MFT entry. The $J $DATA attribute is sparse, and it contains a list of different sized data structures, called change journal entries. There is also a $DATA attribute named $Max that contains information about the maximum settings for the user journal.

This data are non-essential with respect to the file system goals of storing and retrieving data. Therefore, the "Essential" column in this table refers to whether the data are essential for the goal of providing a log of file changes. The data structure for the entries in $J has the fields given in table.

Data structure for the $J attribute entries in $UsrJrnl

Byte Range	Description	Essential
0-3	Size of this journal entry	Yes
4-5	Major version	Yes
6-7	Minor version	Yes
8-15	File reference of file that caused this entry	Yes
16-23	Parent directory file reference for file that caused this entry	No
24-31	USN for entry	Yes
32-39	Timestamp	Yes
40-43	Flags for type of change	Yes
44-47	Source information	No
48-51	Security ID (SID)	No
52-55	File attributes	No
56-57	Size of file name	Yes
58+	File name	Yes

Bytes 40 to 43 contain the reason for the change journal entry. This field is a set of flags, and there could be more than one reason that the entry was created. The values given in table are defined.

Values for the change type field in $J entries

Flag	Description
0x00000001	The default $DATA attribute was overwritten
0x00000002	The default $DATA attribute was extended
0x00000004	The default $DATA attribute was truncated
0x00000010	A named $DATA attribute was overwritten
0x00000020	A named $DATA attribute was extended
0x00000040	A named $DATA attribute was truncated
0x00000100	The file or directory was created
0x00000200	The file or directory was deleted
0x00000400	The extended attributes of the file were changed
0x00000800	The security descriptor was changed
0x00001000	The name changed—change journal entry has old name
0x00002000	The name changed—change journal entry has new name
0x00004000	Content indexed status changed
0x00008000	Changed basic file or directory attributes
0x00010000	A hard link was created or deleted
0x00020000	Compression status changed
0x00040000	Encryption status changed
0x00080000	Object ID changed
0x00100000	Reparse point value changed
0x00200000	A named $DATA attribute was created, deleted, or changed
0x80000000	The file or directory was closed

The source value in bytes 44-47 is typically 0, but can be non-zero if the OS caused the entry to be made and not a user. The $Max attribute contains the general change journal administrative information. It has the fields given in table.

Data structure for the $Max attribute of $UsrJrnl

Byte Range	Description	Essential
0-7	Maximum size	Yes
8-15	Allocation size	Yes
16-23	USN ID	Yes
24-31	Lowest USN	Yes