Transaction Log

Investigating Windows LogFile

10/06/2022 Friday

The New Technology File System (NTFS) is Windows specific file system. NTFS has been the default file system of Windows since the introduction of Windows NT 3.1. NTFS is a journaling file system that allows the operating system to maintain a transaction record of all changes made to volume such as file creation, deletion, renaming, writing and moving. Windows NTFS stores these transactions in a transaction log called “$LogFile”. In the event of chrash or power failure, the operating system can roll back the changes or continue where it left. Hence, the log file maintains the reliability and recoverability of the file system in the case of critical events.

Digital Forensics Value of Windows LogFile

From the digital forensics perspective, there is a lot of information that can be collected from $LogFile. Analyzing $MFT is a general convention. This part of the disk volume contains metadata about all files and directorties, however deleted files may not have metadata in $MFT. Luckily $LogFile allows an examiner to determine prior states of files. It works like a forensic time machine. Therefore, $LogFile helps investigators to examine the file system events of a specific period of time.

Location of LogFile Artifact

$LogFile artifacts are located at root directory of NTFS file system related partition.

Structure of LogFile Artifact

The $LogFile is located under the [root] of the partition at the image of the physical disk. This file is stored in the MFT entry number 2. The deafult size of the $LogFile is 65535, however, the size can be adjustable. As seen in the figure below, the command “chkdsk /L” enables the user to view the current size of the NTFS disk log file, or even change the size of the $logfile by providing the specified amount after colon.

$LogFile structure consists of restart area and logging area. The restart area contains information about the last operation and record while the logging area contains actual operation records. In addition, the logging area is splitted into two sections, the Buffer Page Area and the Normal Page Area. The last operation record is stored in Buffer Page Area and both areas are written sequentially. If the Normal or Buffer Page Area are full, then, the new logs are written on the oldest one. Hence, for forensic rediness, the size of the $LogFile can be increased.

Analyzing Windows LogFile with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Windows LogFile artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows LogFile artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows LogFile artifact in ArtiFast software.

Windows LogFile Artifact

The artifact contains logged metadata changes to a file system. The details you can view include:

Entry Offset - Log entry offset index.
Record Page - Log page record number.
Current LSN - Current LogFile Sequence Number.
Previous LSN - LogFile Sequence Number of the previous entry at the artifact.
Client Undo LSN - Usually the same as PRevious LSN, in case of recovery, LSN info of a record has Undo OP.
Client Data Length - Record size which starts from "Redo OP" field to the end of record.
Client ID - ID of the client on the system. In a single client system it is zero.
Record Type - It shows the record type information. 0x02 Checkpoint, 0x01 is the rest of Record.
Transaction ID - A part of LFS (log file service) record. Transaction number on the filesystem.
Record Flag - Flags show the overlapping status of the record. Flag:0x00 no overlap, Flag: 0x01 overlap on the next page.
Redo Operation - Redo operation code.
Redo Length - Size of the Redo data.
Undo Operation - Undo operation code.
Undo Length - Size of Undo data.
LCNs To Follow - A flag to show there is a next record to follow. 0x00 no next record. 0x01 a next record to follow.
Record Attribute Offset - If changes apply to MFT record, this will appy Redo/Undo data within attribute, otherwise REdo/Undo data applies within the cluster.
MFT Cluster Index - Where the Redo/Undo data reside if changes occur to MFT data.
MFT Target Number - Based on Redo/Undo operation MFT file reference number.
Target VCN - Virtual Cluster Number of MFT file applied Redo/Undo data
Target LCN - Logical Cluster Number of the disk applied Redo/Undo data
Redo Data - It is the data after the end of operation.
Redo Data String - Cotent of the Redo Data.
Undo Data - It is the data before the start of operation.
Undo Data String - Content of the Undo Data.