Loading…
← Back to schedule
Reconstructing Reality: Advanced USN Journal Extraction and Full-Fidelity Correlation with MFT
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The NTFS USN Journal remains one of the most underutilized yet powerful forensic artifacts in Windows environments. While widely known, its practical use is often limited by incomplete parsing, lack of context, and the inability to correlate it effectively with other filesystem structures such as the Master File Table.
This session challenges long standing forensic assumptions about how filesystem evidence should be interpreted. Traditional approaches treat artifacts such as the USN Journal and the Master File Table as separate and partially reliable sources of truth. Our research demonstrates that this model is fundamentally flawed.
Many widely used forensic tools silently ignore critical fields, leading to incomplete or misleading conclusions. As a result, investigators often rely on partial visibility when reconstructing attacker activity.
We introduce a comprehensive approach to extracting, parsing, and operationalizing USN Journal data at scale, using full field analysis to reconstruct detailed file system activity. A key contribution of this work is a novel correlation model between USN Journal entries and Master File Table records, enabling investigators to rebuild complete timelines with significantly higher accuracy.
By combining these artifacts and analyzing all available metadata, we show that it is possible to detect inconsistencies, uncover hidden attacker activity, and validate events that would otherwise remain ambiguous or invisible.
This approach redefines how filesystem forensics should be performed, transforming fragmented artifacts into a unified and reliable representation of system activity. The techniques presented are actively used in real world incident response and threat hunting engagements, where precision and speed are critical.
Speakers
avatar for Paula Januszkiewicz

Paula Januszkiewicz

CEO and Founder, Microsoft MVP and RD, CQURE
Paula Januszkiewicz is the Founder and CEO of CQURE and CQURE Academy, globally recognized organizations delivering cutting-edge cybersecurity consulting and advanced training since 2008. She is an Enterprise Security MVP, Microsoft Regional Director, and one of the world’s leading... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link