$LogFile

Overview

Evidence: $LogFile Description: Dump Raw Contents of $LogFile Category: NTFS Platform: Windows Short Name: ntfslog Is Parsed: No - Raw binary transaction log Sent to Investigation Hub: Yes Collect File(s): No

Background

$LogFile is the NTFS transaction log that ensures file system consistency. It records all file system operations before they are committed to disk, enabling NTFS to recover from crashes or power failures.

The log file can contain evidence of recent file system operations that may not be visible in the current file system state, including file operations that were interrupted or rolled back.

Data Collected

Field

Description

Example

Type

File type

LogFile

Name

File name

$LogFile

SourcePath

Original path

C:$LogFile

FilePath

Path in evidence

NTFSFiles/$LogFile

FileSize

File size in bytes

67108864

Collection Method

This collector uses kernel driver to read the raw $LogFile from each fixed NTFS drive.

Usage

LogFile analysis can reveal recent file system operations and transactional state. Investigators use this data to analyze recent file operations, detect interrupted operations, investigate file system corruption, and perform timeline reconstruction of file system activity.

Known Limitations

Only available on NTFS volumes
Requires specialized tools to parse (LogFileParser, NTFS Log Tracker)
File format is complex
May be circular/wrapped

Notes

$LogFile parsing requires specialized tools. The file contains LSN (Log Sequence Numbers) and can reveal file system operations from the recent past.

Previous$Boot Next$Secure:$SDS

Last updated 46 minutes ago

Was this helpful?