drop usn journal csv · detect journal wrap events where oldest records were overwritten · estimate how much file activity history was lost · identify intentionally triggered journal wraps destroying evidence · runs locally
usn csv from MFTECmd $J · Velociraptor · fsutil usn readjournal · optional fsutil usn queryjournal or registry journal config
drop usn journal csv or fsutil queryjournal output — multiple files ok