What Windows artifact tracks file system changes and is useful for reconstructing activity over time?

The USN Change Journal records file system changes on NTFS volumes, making it ideal for reconstructing activity over time. It logs every notable alteration to files and directories—creations, deletions, renames, moves, and metadata or data modifications—with timestamps and references to the file’s MFT entry. Because this log is a chronological record maintained by the file system, you can trace what happened and when across the volume, even after other data has changed or been removed. Other artifacts don’t provide the same comprehensive change history: the Windows Event Log captures system-wide events but not a complete file-system change timeline; the Master File Table holds file metadata but isn’t a sequential log of changes; and the Recycle Bin only contains deleted items, not the full history of file operations.