$LogFile (NTFS Transaction Log)

WindowsFilesystem & TimelineDisk Image

Location

\\.\C:\$LogFile

Description

NTFS transaction log recording redo and undo operations for filesystem metadata changes. Provides more granular detail than $UsnJrnl for recent operations including incomplete and rolled-back transactions.

Forensic Value

$LogFile contains detailed redo/undo pairs for every NTFS metadata change in the most recent hours to days, providing finer granularity than the USN journal. It captures partial and failed operations that other artifacts miss, such as an incomplete file copy or a rolled-back rename. For recent activity, $LogFile can recover file creation, deletion, and rename operations with full timestamps even when $UsnJrnl has wrapped.

Tools Required

KAPENTFS Log TrackerLogFileParserAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target NTFS

RawCopy

RawCopy.exe /FileNamePath:C:2 /OutputPath:C:\output /OutputName:$LogFile

NTFS Log Tracker

Load $LogFile alongside $MFT and $UsnJrnl in NTFS Log Tracker for correlated timeline analysis

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1070.006T1070.004

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Used in Procedures

Validate Backup Integrity Before Restoration

recover

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote