..
    generated, remove this comment to keep this file

``usnjrnl``
===========

.. code-block:: console

    $ target-query <path/to/target> -f usnjrnl


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``filesystem.ntfs.usnjrnl.UsnjrnlPlugin``
    * - Output
      - ``records``

**Module documentation**

No documentation

**Function documentation**

Return the UsnJrnl entries of all NTFS filesystems.

The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about
filesystem activities. Each volume has its own UsnJrnl.

If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the UsnJrnl
properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the UsnJrnl records
are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive
letter is used when available.
When no drive letter can be determined, the path will show as e.g. ``\$fs$\fs0``.

References:
    - https://en.wikipedia.org/wiki/USN_Journal
    - https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e