$TxfLog $Tops:$T

Overview

Evidence: $TxfLog $Tops:$T Description: Dump Contents of $TxfLog$Tops:$T Category: DiskFilesystem Platform: windows Short Name: txflogtops Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Transactional NTFS (TxF) allows applications to perform file operations as atomic transactions. The $TxfLog directory contains transaction logs, and the $Tops:$T stream maintains transaction metadata. While TxF is deprecated in modern Windows versions, these files may still exist on systems and contain historical transaction data.

Data Collected

This collector gathers structured data about $txflog $tops:$t.

$TxfLog $Tops:$T Data

Field

Description

Example

Type

File type

TxfLogTopsT

Name

File name

$Tops:$T

SourcePath

Original path

C:$Extend$RmMetadata$TxfLog$Tops:$T

FilePath

Path in evidence

NTFSFiles/$Tops_$T

FileSize

File size in bytes

524288

Collection Method

This collector uses kernel driver NTFS raw access to read $TxfLog $Tops:$T from each fixed NTFS drive.

Forensic Value

TxF logs can provide evidence of transactional file operations and application activity. Although TxF is deprecated, these files may contain valuable historical data about file system transactions and can reveal application behavior patterns.

Previous$Secure:$SDS NextAction1 RMM Logs

Last updated 2 days ago

Was this helpful?