$TxfLog $Tops:$T
Overview
Section titled “Overview”Evidence: $TxfLog $Tops:$T
Description: Dump Contents of $TxfLog$Tops:$T
Category: DiskFilesystem
Platform: windows
Short Name: txflogtops
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Transactional NTFS (TxF) allows applications to perform file operations as atomic transactions. The $TxfLog directory contains transaction logs, and the $Tops:$T stream maintains transaction metadata. While TxF is deprecated in modern Windows versions, these files may still exist on systems and contain historical transaction data.
Data Collected
Section titled “Data Collected”This collector gathers structured data about $txflog $tops:$t.
$TxfLog $Tops:$T Data
Section titled “$TxfLog $Tops:$T Data”| Field | Description | Example |
|---|---|---|
Type | File type | TxfLogTopsT |
Name | File name | $Tops:$T |
SourcePath | Original path | C:$Extend$RmMetadata$TxfLog$Tops:$T |
FilePath | Path in evidence | NTFSFiles/$Tops_$T |
FileSize | File size in bytes | 524288 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $TxfLog $Tops:$T from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”TxF logs can provide evidence of transactional file operations and application activity. Although TxF is deprecated, these files may contain valuable historical data about file system transactions and can reveal application behavior patterns.