NTFS $LogFile

Weeks ago, I was working for a client who requested me to investigate what happened to a particular file on his laptop. I tried all sorts of method but I wasn’t able to recover the file.

Since I couldn’t get it back, I need to at least prove its existence. I tried my luck searching for the file on $MFT but to no avail.

Not wanting to give up yet, I started my treasure hunt in $LogFile.

NTFS $LogFile is a file which logs all changes to the file system. This file contains activities performed by the users / system.

I extracted $LogFile from the image and parse it into LogFileParser.exe. LogFileParser.exe was able to extract the data nicely into a db file. With a DB browser, I examined the LogFile table and found the file I was looking for. I filtered with column If_FileName and saw logs showing that the file has been deleted.

capture

In times when it is not possible to recover a file, finding out what happen might be the best alternative.

 

Advertisements
NTFS $LogFile

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s