Note:I translated Japanese into English using Google Translate.
Thank you, Google.

I got the Refs volume of Win10 1803 as E01 image. You can download it from the following URL. (That is the volume I tested last time.)

Win10_1083_Refs.E01
https://drive.google.com/open?id=1adzuHvXH2FlMpQnGHh2S-i9FXvV1Llwd

Unfortunately I do not have a tool to parse Refs. Therefore, I will use my own eyes :-)

Look for the USN record of example.jpg in the Refs volume. 

I found several file names at offset 268445728. Well, is this a USN Journal record?

I compared with the structure of USN_RECORD_V2, but some did not match.

So, I tried the structure of USN_RECORD_V3.

68 00 00 00 ⇒ RecordLength ⇒ 104
03 00 ⇒ MajorVersion ⇒ 3
00 00 ⇒ MinorVersion ⇒ 0
01000000000000000207000000000000 ⇒ FileReferenceNumber (16 bytes)
00000000000000000207000000000000 ⇒ ParentFileReferenceNumber (16 bytes)
D8 07 00 00 00 00 00 00 ⇒ USN
DE A4 43 09 FF 73 D4 01 ⇒ TimeStamp ⇒ FILETIME (UTC): 11/4/2018 5:27:10 AM
00010000 ⇒ Reason ⇒ 0x00010000 USN_REASON_HARD_LINK_CHANGE
00000000 ⇒ SourceInfo
00000000 ⇒ SecurityId
20000000 ⇒ FileAttributes
16 00 ⇒ FileNameLength ⇒ 22
4C 00 ⇒ FileNameOffset ⇒ 76
6500780061006D0070006C0065002E006A0070006700000000000000 ⇒ FileName (variable) ⇒ example.jpg

The Refs' USN Journal appears to be using USN_RECORD_V3. However, I do not know if it is always USN_RECORD_V3.

The structure differs between USN_RECORD_V3 and USN_RECORD_V2. For this reason, carving assuming V2 structure will fail.

By the way, I noticed that the USN related URL of Microsoft was 404.

So, I refer to the URL that David taught me. Thank you!

<add>

Zaki-san taught me that UsnJrnl2Csv supports USN_RECORD_V3.

I exported from offset 268443648 to 268449952.

However, no results were obtained.

Verification environment: Windows 10 1803

Reference URL:

[MS-FSCC]: USN_RECORD_V2

[MS-FSCC]: USN_RECORD_V3

GitHub - jschicht/UsnJrnl2Csv: Parser for $UsnJrnl on NTFS

www.williballenthin.com