$TxfLog $Tops:$T

Overview

Evidence: $TxfLog $Tops:$T Description: Dump Contents of $TxfLog $Tops:$T Category: NTFS Platform: Windows Short Name: txflogtops Is Parsed: No - Raw transaction log Sent to Investigation Hub: Yes Collect File(s): No

Background

TxF (Transactional NTFS) was a feature that allowed file operations to be performed transactionally. The $TxfLog contains transaction metadata. Though TxF was deprecated in Windows 10, the files may still exist on upgraded systems.

The $Tops:$T stream contains transaction log data that can provide evidence of transactional file operations.

Data Collected

Field

Description

Example

Type

File type

TxfLogTopsT

Name

File name

$Tops:$T

SourcePath

Original path

C:$Extend$RmMetadata$TxfLog$Tops:$T

FilePath

Path in evidence

NTFSFiles/$Tops_$T

FileSize

File size in bytes

524288

Collection Method

This collector uses kernel driver to read $Extend\$RmMetadata\$TxfLog\$Tops:$T from each fixed NTFS drive.

Usage

TxF logs can reveal transactional file operations on systems that used this feature. Investigators use this data to analyze transactional file operations (on Windows Vista-8.1) and understand TxF usage patterns.

Known Limitations

Only on systems that used TxF (Windows Vista-8.1)
TxF deprecated in Windows 10
Requires specialized knowledge to parse
Limited relevance on modern systems

Notes

Transactional NTFS (TxF) was deprecated starting with Windows 10. This evidence is mainly relevant for older Windows versions or upgraded systems.

Previous$Secure:$SDS NextARP Table

Last updated 48 minutes ago

Was this helpful?