NTFS $LogFile

Weeks ago, I was working for a client who requested me to investigate what happened to a particular file on his laptop. I tried all sorts of method but I wasn’t able to recover the file.

Since I couldn’t get it back, I need to at least prove its existence. I tried my luck searching for the file on $MFT but to no avail.

Not wanting to give up yet, I started my treasure hunt in $LogFile.

NTFS $LogFile is a file which logs all changes to the file system. This file contains activities performed by the users / system.

I extracted $LogFile from the image and parse it into LogFileParser.exe. LogFileParser.exe was able to extract the data nicely into a db file. With a DB browser, I examined the LogFile table and found the file I was looking for. I filtered with column If_FileName and saw logs showing that the file has been deleted.


In times when it is not possible to recover a file, finding out what happen might be the best alternative.


NTFS $LogFile