$LogFile

Overview

Evidence: $Log File Description: Dump raw contents of $LogFile Category: DiskFilesystem Platform: windows Short Name: ntfslog Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The $LogFile is NTFS's transaction log that records all changes to the file system before they are committed. This logging mechanism ensures file system consistency and enables recovery from system crashes or power failures. The log file maintains both redo and undo information for file system operations.

Data Collected

This collector gathers structured data about $log file.

$Log File Data

Field

Description

Example

Type

File type

LogFile

Name

File name

$LogFile

SourcePath

Original path

C:$LogFile

FilePath

Path in evidence

NTFSFiles/$LogFile

FileSize

File size in bytes

67108864

Collection Method

This collector uses kernel driver NTFS raw access to read $LogFile from each fixed NTFS drive.

Forensic Value

The $LogFile provides forensic evidence of recent file system activity including file creation, deletion, and modification operations. It can reveal transient files that may have been deleted and provide precise timing information about file system changes. Particularly valuable for detecting data manipulation and understanding recent system activity.

Previous$Boot Next$Secure:$SDS

Last updated 3 days ago

Was this helpful?