NTFS Transaction Log ($Logfile)
The NTFS $Logfile is the file system's own crash-recovery journal. Every metadata change NTFS makes — whether creating, renaming or deleting a file — is written into this circular log before it is committed to the MFT. For forensic analysts, the $Logfile provides a sequential transactional history of file system operations that can reveal file activity that has since been overwritten in other artifacts.
Imagine every time someone renovates a room in a building, a contractor first writes in a logbook what they plan to do — "I am going to knock down this wall" — before doing it. If the building loses power mid-renovation, they can read the logbook to restore everything. The NTFS $Logfile is that contractor's logbook for file operations. Even after someone "undoes" a file operation, the original plan often remains in the log.
General
The $Logfile is stored as MFT Entry 2 on every NTFS volume. It operates as a circular ring buffer meaning older entries are eventually overwritten by new ones as the log fills. The file is structured into Log Record pages, each containing individual Redo and Undo operation records. The Redo record describes what to apply if a transaction was interrupted and the Undo record describes how to roll it back. Because NTFS writes these log entries for every metadata operation, parsing the $Logfile can reveal the exact sequence of create, delete, rename and attribute change operations that occurred on the volume — often reaching back hours or even days depending on file system activity volume.
Traces
When we parse the $Logfile, each transaction record exposes the following data:
- Redo / Undo Operation Type: The specific NTFS operation recorded such as CreateFile, DeleteFile or RenameFile.
- MFT Record Reference: The specific file entry this transaction operates on, allowing correlation back to the $MFT.
- Log Sequence Number (LSN): A monotonically increasing sequence counter ordering all transactions chronologically.
- Attribute Type: The specific MFT attribute that was modified such as $STANDARD_INFORMATION or $FILE_NAME.
- and more.
Forensic Value
We mine the $Logfile to reconstruct file operations that have been otherwise erased:
- Recovering Deleted Filenames: Establish that a filename existed and was removed. Cross-reference this with the USN Journal for a broader view of historical volume changes.
- Proving Rename Operations: Recovering evidence of files that were renamed before deletion to obscure their true purpose.
- Corroborating MFT Timestamps: Cross-referencing LSN order against MFT timestamps to detect timestamp manipulation inconsistencies.
- Anti-Forensics Detection: Identifying rapid file creation and deletion patterns consistent with cleaner tools.
For more Info check out these Articles: USN Journal