When an adversary modifies MFT timestamps, deletes files, or attempts to clean up their tracks on an NTFS volume, the filesystem’s own transaction journal silently records every metadata change they make. $LogFile is NTFS’s crash-recovery mechanism repurposed as a forensic artifact — a circular buffer that captures the before-and-after state of every MFT record modification, providing investigators with a recent-history replay of filesystem activity that survives most anti-forensics techniques.
What Is $LogFile?
$LogFile is the NTFS transaction log, a system metafile stored in the root of every NTFS volume at C:\$LogFile (inode 2 in the MFT). Its primary purpose is crash recovery: NTFS uses a write-ahead logging model where all metadata changes are first written to $LogFile before being committed to the MFT and other metadata structures. If the system crashes before the commit completes, the NTFS driver replays the log on the next mount to restore filesystem consistency.
From a forensic perspective, $LogFile contains redo and undo records for recent MFT changes. A redo record describes the change that was made. An undo record describes how to reverse the change. Together, these records provide a timeline of metadata modifications — including file creation, deletion, renaming, attribute changes, and timestomping.
$LogFile operates as a circular buffer, typically 64 MB in size. When the buffer is full, the oldest records are overwritten. On an active system, the effective retention window ranges from a few hours to several days depending on filesystem activity.
$LogFile records the previous values of modified MFT attributes in its undo records. When an attacker timestomps a file, $LogFile preserves the original timestamps in the undo data. This is one of the very few mechanisms that can prove timestomping occurred and recover the true original timestamps.
Location & Format
| Property | Detail |
|---|---|
| Path | C:\$LogFile (root of every NTFS volume) |
| MFT Entry | Inode 2 (fixed position in MFT) |
| Typical Size | 64 MB (can range from 2 MB to 256+ MB) |
| Buffer Type | Circular — oldest records overwritten when full |
| Record Types | Restart records, client records (redo/undo operations) |
| Visibility | Hidden system metafile; requires raw disk access or forensic tools |
Internal Structure
$LogFile consists of two restart areas (at the beginning, for redundancy) and a logging area containing the circular buffer. Each log record contains a Log Sequence Number (LSN) that monotonically increases, providing strict ordering. Records contain operation codes specifying the metadata change type.
Record Types & Operation Codes
| Operation Code | Name | Forensic Meaning |
|---|---|---|
0x02 | InitializeFileRecordSegment | New file or directory created — the full MFT record is logged |
0x03 | DeallocateFileRecordSegment | File or directory deleted — the MFT record is freed |
0x05 | CreateAttribute | New attribute added to an MFT record |
0x09 | UpdateResidentValue | Resident attribute data modified — includes timestamp changes (timestomping) |
0x0B | UpdateMappingPairs | Non-resident data run mappings changed (file extents modified) |
0x0F | SetNewAttributeSizes | Attribute size changed — file grew or was truncated |
0x13 | AddIndexEntryAllocation | Directory entry added — file appeared in a parent directory |
0x14 | DeleteIndexEntryAllocation | Directory entry removed — file removed from parent directory |
Each log record pair contains both the redo data (the new state) and the undo data (the previous state). For timestomping detection, the undo data preserves the original timestamps. For deleted file recovery, the redo data from InitializeFileRecordSegment contains the complete MFT record as it existed at creation time.
What $LogFile Reveals
- File creation events with full MFT records — When a file is created, the entire MFT record is logged, enabling recovery of files whose MFT entries have been overwritten.
- File deletion events — DeallocateFileRecordSegment operations record when MFT entries were freed, providing deletion timestamps.
- Timestamp modifications (timestomping) — UpdateResidentValue operations on $STANDARD_INFORMATION capture both new and original timestamps in the undo data.
- File renaming — Directory index additions and deletions record before and after file names.
- Directory lifecycle — Complete creation and deletion of directory structures is logged.
- Attribute changes — Changes to hidden, system, readonly attributes are recorded.
Forensic Use Cases
1. Timestomping Detection
An attacker sets their malware’s timestamps to match legitimate system files. The $MFT $STANDARD_INFORMATION shows the forged times. However, $LogFile contains an UpdateResidentValue record with the undo data showing the original timestamps and the redo data showing the forged timestamps. The LSN ordering proves the modification occurred after file creation.
2. Deleted Tool Recovery
An attacker drops a tool into C:\Windows\Temp\, executes it, then deletes it. The MFT entry may be reallocated. $LogFile’s InitializeFileRecordSegment record from creation contains the complete MFT record including file name, size, and timestamps — recoverable even after the MFT entry is overwritten.
3. Anti-Forensics Timeline Reconstruction
After a breach, the attacker ran a cleanup script deleting tools, logs, and Prefetch files. $LogFile contains DeallocateFileRecordSegment records for each deleted file and DeleteIndexEntryAllocation for directory removals. The LSN ordering reconstructs the exact cleanup sequence.
4. Ransomware Encryption Timeline
During ransomware encryption, $LogFile records MFT modifications for each encrypted file. If the 64 MB buffer encompasses the encryption start, LSN-ordered records reveal the sequence and timing, identifying the first encrypted file and encryption rate.
5. File Rename Tracking
When an attacker renames mimikatz.exe to svchost.exe, $LogFile records the directory index deletion for the original name and addition of the new name within the same transaction. The undo data preserves the original file name.
Acquisition Methods
$LogFile has the shortest effective retention of any major NTFS artifact. On an active system, the 64 MB buffer may contain only hours of history. Collect $LogFile as early as possible after an incident. Prioritize it above most other artifacts.
:: Using KAPE (recommended for live systems) kape.exe --tsource C: --tdest C:\Evidence --target NTFSFilesAndUSNJrnl :: Using RawCopy (bypasses NTFS locks) RawCopy.exe /FileNamePath:C:\$LogFile /OutputPath:C:\Evidence\ :: Using icat from The Sleuth Kit (from forensic image) icat /dev/sdb1 2 > /analysis/ntfs/LogFile :: Using FTK Imager (GUI) :: Navigate to [root] - $LogFile - Right-click - Export
Parsing Tools & Analysis
| Tool | Author | License | Notes |
|---|---|---|---|
| LogFileParser | Joakim Schicht | Open source | Primary $LogFile parser; extracts redo/undo records with operation codes and timestamps |
| NTFS Log Tracker | Junghoon Oh | Free | Combines $LogFile, $UsnJrnl, and $MFT for unified timeline analysis |
| MFTECmd | Eric Zimmerman | Free | Parses $MFT with $LogFile transaction replay support |
| Triforce ANJP | Various | Commercial | Advanced NTFS journal parsing; correlates $LogFile with $MFT and $UsnJrnl |
:: Parse $LogFile with LogFileParser (Joakim Schicht) LogFileParser.exe /LogFileFile:C:\Evidence\LogFile /OutputPath:C:\Analysis\ /OutputFormat:csv :: Combined analysis workflow :: 1. Parse $MFT for current state MFTECmd.exe -f C:\Evidence\$MFT --csv C:\Analysis\ :: 2. Parse $UsnJrnl for change journal MFTECmd.exe -f C:\Evidence\$UsnJrnl:$J --csv C:\Analysis\ :: 3. Parse $LogFile for redo/undo records LogFileParser.exe /LogFileFile:C:\Evidence\$LogFile /OutputPath:C:\Analysis\
The most effective $LogFile analysis combines it with $MFT and $UsnJrnl. Parse $MFT first for the current filesystem state. Then $UsnJrnl for change journal entries. Finally $LogFile for raw redo/undo records. The three overlap in time coverage but provide different detail levels: $MFT = current state, $UsnJrnl = changes with reasons, $LogFile = raw metadata changes with before/after values.
Retention & Persistence
| Property | Typical Value | Notes |
|---|---|---|
| Buffer size | 64 MB (default) | Can range from 2 MB to 256+ MB; set at format time |
| Effective retention | Hours to days | Depends on filesystem activity; quiet systems retain longer |
| Survives reboot | Partially | Log replayed and partially cleared on clean mount |
| Overwrite behavior | Circular (FIFO) | Oldest records overwritten first |
| Clean unmount | Log checkpointed | Reduces recoverable historical data |
Anti-Forensics Resilience
| Technique | Affects $LogFile? | Details |
|---|---|---|
| File deletion | Records the deletion | DeallocateFileRecordSegment records the deletion itself as evidence |
| Timestomping | Records the change | UpdateResidentValue captures both old and new timestamps |
| MFT entry overwrite | Original in $LogFile | InitializeFileRecordSegment from creation may still exist in buffer |
| $LogFile wiping | Possible but detectable | Zeroing requires raw disk access; wiped state is anomalous |
| CCleaner/Eraser | No effect | Standard cleanup tools do not target NTFS metafiles |
An adversary cannot selectively delete specific $LogFile records without destroying the entire log structure. They can either leave it intact (preserving evidence) or zero the entire file (which is suspicious and detectable). This all-or-nothing characteristic makes $LogFile relatively tamper-resistant within its retention window.
MITRE ATT&CK Detection Mapping
| Technique | Name | $LogFile Evidence |
|---|---|---|
T1070.004 T1070.004 | Indicator Removal: File Deletion | DeallocateFileRecordSegment and DeleteIndexEntryAllocation records |
T1070.006 T1070.006 | Indicator Removal: Timestomping | UpdateResidentValue on $SI with mismatched redo/undo timestamps |
T1105 T1105 | Ingress Tool Transfer | InitializeFileRecordSegment for tools staged in Temp or ProgramData |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation |
|---|---|---|
| $MFT | Current filesystem metadata; $LogFile records changes to $MFT | $MFT = current state; $LogFile = how it got there |
| $UsnJrnl | Change journal with reason codes; higher-level than $LogFile | $UsnJrnl = human-readable changes; $LogFile = raw redo/undo data |
| $I30 Index | Directory index entries; $LogFile records index modifications | $I30 slack + $LogFile = comprehensive file existence evidence |
| Prefetch | Confirms execution with timestamps and run counts | $LogFile shows file creation; Prefetch proves execution |
| Shimcache | Records executables evaluated by the compatibility engine | Shimcache + $LogFile = file existed and was evaluated |
References
- Joakim Schicht, “LogFileParser” — https://github.com/jschicht/LogFileParser
- Junghoon Oh, “NTFS Log Tracker” — https://sites.google.com/site/aborntechhome/
- Eric Zimmerman, “MFTECmd” — https://ericzimmerman.github.io/
- SANS Institute, “NTFS Forensics: $LogFile and $UsnJrnl Analysis” — https://www.sans.org/blog/
- Brian Carrier, “File System Forensic Analysis” — Addison-Wesley Professional
- Microsoft, “How NTFS Works: Log File Service” — https://learn.microsoft.com
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in NTFS forensics, $LogFile analysis, timestomping detection, and filesystem-level evidence recovery.
mjolnirsecurity.com — 24/7: +1 833 403 5875