$LogFile (NTFS Transaction Log)

windowsFilesystem & TimelineDisk Image

Location

\\.\C:\$LogFile

Description

NTFS transaction log recording redo and undo operations for filesystem metadata changes. Provides more granular detail than $UsnJrnl for recent operations including incomplete and rolled-back transactions.

Forensic Value

$LogFile contains detailed redo/undo pairs for every NTFS metadata change in the most recent hours to days, providing finer granularity than the USN journal. It captures partial and failed operations that other artifacts miss, such as an incomplete file copy or a rolled-back rename. For recent activity, $LogFile can recover file creation, deletion, and rename operations with full timestamps even when $UsnJrnl has wrapped.

Tools Required

KAPENTFS Log TrackerLogFileParserAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical