$Log File
Overview
Section titled “Overview”Evidence: $Log File
Description: Dump raw contents of $LogFile
Category: DiskFilesystem
Platform: windows
Short Name: ntfslog
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The $LogFile is NTFS’s transaction log that records all changes to the file system before they are committed. This logging mechanism ensures file system consistency and enables recovery from system crashes or power failures. The log file maintains both redo and undo information for file system operations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about $log file.
$Log File Data
Section titled “$Log File Data”| Field | Description | Example |
|---|---|---|
Type | File type | LogFile |
Name | File name | $LogFile |
SourcePath | Original path | C:$LogFile |
FilePath | Path in evidence | NTFSFiles/$LogFile |
FileSize | File size in bytes | 67108864 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $LogFile from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”The $LogFile provides forensic evidence of recent file system activity including file creation, deletion, and modification operations. It can reveal transient files that may have been deleted and provide precise timing information about file system changes. Particularly valuable for detecting data manipulation and understanding recent system activity.